Lines Matching +full:system +full:- +full:control
14 …per was presented at the 2nd International System Administration and Networking Conference "SANE 2…
17 Poul-Henning Kamp <phk@FreeBSD.org>
25 OS. FreeBSD 4.0-RELEASE was the first release including this
27 Follow-on work was sponsored by Safeport Network Services,
32 Adding fine-grained access control improves the expressiveness,
33 but often dramatically increases both the cost of system management
39 Where multiple mutually un-trusting parties are introduced,
44 the operating system environment, while maintaining the simplicity
47 is limited to the jail, allowing system administrators to delegate
57 The UNIX access control mechanism is designed for an environment with two
60 system, allowing easy sharing of files and inter-process communication.
63 Users of FreeBSD in non-traditional UNIX environments must balance
71 simultaneously impose system-wide mandatory policies on process
73 Attempting to create such an environment in the current-day FreeBSD
81 real-world example:
83 operating system to host customer web sites, as it provides a
84 high-performance, network-centric server environment.
93 such as web servers and other content-related daemon programs.
100 Delegation of management functions within the system must
101 be possible, but not at the cost of system-wide requirements, including
104 However, UNIX-style access control makes it notoriously difficult to
109 scope of their functionality, and effectiveness at what they provide \s-2[CHROOT]\s+2.
112 the file system name-space is limited to a single subtree.
126 Unlike other fine-grained security solutions, Jail does not
128 system administrator, as each Jail is a virtual FreeBSD environment
130 same properties as the main system itself, making Jail easy to use
133 Traditional UNIX Security, or, ``God, root, what difference?" \s-2[UF]\s+2.
136 system. In turn, each process ``owned'' by a user will be tagged with that
138 they determine how discretionary access control mechanisms will be applied, and
144 as a limited form of access control list. Jail is, in general, not concerned
145 with modifying the semantics of discretionary access control mechanisms,
151 process is acting with ``super-user privileges'', and all access checks are
159 to the ``root'' user \s-2[ROOT]\s+2.
161 these privileged operations can be used to manage system hardware and
162 configuration, file system name-space, and special network operations.
167 compromise of the root capability set, the attacker has complete control over
168 the system. Even without an attacker, the risks of a single administrative
171 that of all system management abilities. These features make the omnipotent
177 until the system is restarted and brought up into single-user mode.
185 fine-grained access controls for system resources \s-2[BIBA]\s+2.
197 ``trust that the system is secure, when in fact it isn't''.
201 controls \s-2[UAS]\s+2.
207 some trusted operating systems, a system capability may be assigned to a
210 any other account, as the ability to access any file provides access to system
219 security management APIs. When fine-grained capabilities are introduced to
220 replace the setuid mechanism in UNIX-like operating systems, applications that
228 different systems \s-2[POSIX1e]\s+2.
232 Jail neatly side-steps the majority of these problems through partitioning.
234 than introduce additional fine-grained access control mechanism, we partition
235 a FreeBSD environment (processes, file system, network resources) into a
242 access to the super-user account in each of these without losing control of
243 the over-all environment.
246 system is booted up after a fresh install, no processes will be in jail.
266 name-space is restricted in the style of chroot(2), the ability to bind network
268 system resources and perform privileged operations is sharply curtailed, and
273 file system name-space for jailed processes. When a jail is created, it is
274 bound to a particular file system root.
277 file system root are protected. Traditional mechanisms for breaking out of
280 with its exclusive file system root, and standard FreeBSD directory layout,
294 between a jailed environment or un-jailed environment. Processes running with
301 any uid, as long as it is accessible through the jail file system name-space.
308 sysctl or process file system monitoring mechanisms. Jail does not prevent,
316 framework, almost all applications will run unaffected. Standard system
341 \(bu Changing securelevel-related file flags is prohibited.
365 most applications to run un-hindered, but preventing calls that might allow an
367 system-wide configuration.
380 restricting access within the jail environment to a well-defined subset
384 fine-grained access control mechanisms, and maintaining a consistent
390 The jail code is included in the base system as part of FreeBSD 4.0-RELEASE,
391 and fully documented in the jail(2) and jail(8) man-pages.
395 .IP \s-2[BIBA]\s+2 .5i
398 .IP \s-2[CHROOT]\s+2 .5i
405 directory and build a system using only the files, include files,
408 .IP \s-2[LOTTERY1]\s+2 .5i
409 David Petrou and John Milford. Proportional-Share Scheduling:
410 Implementation and Evaluation in a Widely-Deployed Operating System,
413 \s-2\fChttp://www.cs.cmu.edu/~dpetrou/papers/freebsd_lottery_writeup98.ps\fP\s+2
414 \s-2\fChttp://www.cs.cmu.edu/~dpetrou/code/freebsd_lottery_code.tar.gz\fP\s+2
415 .IP \s-2[LOTTERY2]\s+2 .5i
416 …roportional-Share Resource Management, Proceedings of the First Symposium on Operating Systems Des…
418 \s-2\fChttp://www.research.digital.com/SRC/personal/caw/papers.html\fP\s+2
419 .IP \s-2[POSIX1e]\s+2 .5i
421 Portable Operating System Interface (POSIX) \(em
422 Part 1: System Application Program Interface (API) \(em Amendment:
423 Protection, Audit and Control Interfaces [C Language]
425 .IP \s-2[ROOT]\s+2 .5i
427 called the super-user account ``zeus''.
428 .IP \s-2[UAS]\s+2 .5i
429 One such niche product is the ``UAS'' system to maintain and audit
432 \s-2\fChttp://www.entactinfo.com/products/uas/\fP\s+2
433 .IP \s-2[UF]\s+2 .5i
434 Quote from the User-Friendly cartoon by Illiad.
436 \s-2\fChttp://www.userfriendly.org/cartoons/archives/98nov/19981111.html\fP\s+2