Operating Systems 2017F Lecture 22: Difference between revisions
Created page with "==Video== [http://homeostasis.scs.carleton.ca/~soma/os-2017f/lectures/comp3000-2017f-lec22-05Dec2017.mp4 Lecture 22 Video] ==Notes== ===In Class=== <pre> Lecture 22 ------..." |
|||
| (One intermediate revision by one other user not shown) | |||
| Line 34: | Line 34: | ||
* distributed operating systems | * distributed operating systems | ||
</pre> | </pre> | ||
ADDITIONAL NOTES : | |||
Comp 3000 | |||
Premissions on this directory, readable writable and executable | |||
Execute permission on a Regular file : you can execute | |||
Execute permission on a directory : follow the links on the directory | |||
Can’t make any changes to the directory if you can’t write | |||
There are exceptions : | |||
Less/etc/passwd: doesn’t actually store the password | |||
if you want to change this file, you must have a way to allow limited editing to this. | |||
You can have a process running as root and send it signals and tell it to update the entry in the password file. | |||
o Starting up a process which has more privileges which I can do , ex: EUID | |||
Ls –la /sbin | grep rws : execve EUID will be set to whatever it is from the file . equal to the uid | |||
Ls –la /sbin | grep r-s: s is a sticky bit, if you need extra premissions | |||
You want your stcky bit to be a regular user | |||
Euid = uid yes | |||
Cd /tmp : directory in which everyone can write | |||
This allows binaries run as users | |||
Set uid and get guid : | |||
Myid has euid now | |||
Change the ownership | |||
- > chown root : root myid | |||
- >chown root : root mytouch | |||
Ls –la : 3rd column identifies the ownership of each file on the file system | |||
You can overwrite any file on the fille system using mytouch binary | |||
Question : why can you remove file owned by root? | |||
- > to change the context of the directory , the permissions of a file don’t matter but the permissions and privileges of the directory only matter | |||
o Someone putting a directory in ur directory is hard to remove | |||
- Ssh to a remote serve : | |||
- 2 public keys involved: identity key, private key pair: one in the known host file (connecting to the machine). | |||
- If you rm _known host and do ssh , a question will ask you to add the key to ur host file | |||
- What happens if a person tries to personate your machine (same IP address)? | |||
o It will identity it is a fake person from the host | |||
First line is a Hashed versionof an IP address : cat .ssh/known_host | |||
Ssh demon : running in the background and must have a public key to identify its self. process that runs in the background that doesn’t run in the background(connects 1 file system to another) | |||
- > connects sockets and listens to connect. Doesn’t interact with user | |||
Thursday: written version of the solutions for the midterm and we will talk about assignment 4 | |||
3000 class content | |||
We didn’t discuss scheduling much : | |||
Virtual memory: similar to scheduling since, If you don’t have enough memory , you delete the page that you may want to need at last . Choosing which pages you replace : one-handed and two-handed clocks | |||
Power management | |||
Security | |||
Virtualization : not one thing , vm ware, system which run multiple of kernels. | |||
SSH question student asked, how can they know that they have the private key belongs to the pubkey it belongs to: sends a public key or a hash of th Pubkey , then an exchange : yes I have a secret key which can be inverted by the pubkey. Private key must be corresponding. encrypts with thr private key and sends it back | |||
Lecture 22 | |||
'''Synopsis''': UID, GUID, EUID, setuid, setguid | |||
What is and isn't permitted on a Linux system? | |||
* a file we create has a user ID and group ID | |||
** i.e. $ touch | |||
** $ which touch | |||
** $ ls -la /bin/touch | |||
::* touch is owned by root, but has global execute permissions | |||
* fork and execve don't change the user ID of a process | |||
* when we create a file, system checks user ID/group ID under which a process is running | |||
::* if we want to create a file somewhere | |||
::* check permissions on the dir | |||
==== N.B. ==== | |||
* on a dir, execute permissions means you can follow the links on the dir; write permissions mean we can create a file | |||
* to change contents of a directory (i.e. remove a file), the permissions on the file don't matter -> the permissions on the directory do! | |||
:* Read permissions let us read the dir, obtain all the file names contained within | |||
:* Execute permission lets us pass through the dir when we need to search it to look for a specific filename | |||
:* To create a new file in a directory, we need to have write and execute permissions | |||
:::* exceptions to this: | |||
::::* $ /etc/passwd | |||
::::* $ ls -la /etc/passwd | |||
::::* we have a process running as root, to which we can send a message/request using IPC and request a change | |||
* how to start up a process that has more privilages than we do? -> effective UID | |||
** EUID can be set by special permissions -> sticky bits | |||
*** after an execve the resulting process will have it's group and user ID set accordingly | |||
*** setting the sticky bit, causes the binary to run as that user | |||
**** any files created will have the user's group | |||
Latest revision as of 16:58, 7 December 2017
Video
Notes
In Class
Lecture 22
----------
What's left?
* scheduling
* device drivers
* virtual memory
- page replacement algorithms
- predict the future (optimal)
- least recently used
- one-handed, two-handed clocks
* power management
* security
- hardening processes so coding errors don't lead to vulnerabilities
(machine code injection, e.g. buffer overflow attacks)
* virtualization
- hardware-level (run multiple kernels) <-- vmware, openstack
- OS-level (run multiple userspaces) <-- containers, web hosting
- application level (run programs on simulated machines)
- JVM
- JavaScript runtime in browsers/node
* distributed operating systems
ADDITIONAL NOTES :
Comp 3000
Premissions on this directory, readable writable and executable
Execute permission on a Regular file : you can execute
Execute permission on a directory : follow the links on the directory
Can’t make any changes to the directory if you can’t write
There are exceptions :
Less/etc/passwd: doesn’t actually store the password
if you want to change this file, you must have a way to allow limited editing to this.
You can have a process running as root and send it signals and tell it to update the entry in the password file. o Starting up a process which has more privileges which I can do , ex: EUID Ls –la /sbin | grep rws : execve EUID will be set to whatever it is from the file . equal to the uid Ls –la /sbin | grep r-s: s is a sticky bit, if you need extra premissions You want your stcky bit to be a regular user Euid = uid yes Cd /tmp : directory in which everyone can write This allows binaries run as users Set uid and get guid : Myid has euid now Change the ownership - > chown root : root myid - >chown root : root mytouch Ls –la : 3rd column identifies the ownership of each file on the file system You can overwrite any file on the fille system using mytouch binary Question : why can you remove file owned by root? - > to change the context of the directory , the permissions of a file don’t matter but the permissions and privileges of the directory only matter o Someone putting a directory in ur directory is hard to remove - Ssh to a remote serve : - 2 public keys involved: identity key, private key pair: one in the known host file (connecting to the machine). - If you rm _known host and do ssh , a question will ask you to add the key to ur host file - What happens if a person tries to personate your machine (same IP address)? o It will identity it is a fake person from the host First line is a Hashed versionof an IP address : cat .ssh/known_host Ssh demon : running in the background and must have a public key to identify its self. process that runs in the background that doesn’t run in the background(connects 1 file system to another) - > connects sockets and listens to connect. Doesn’t interact with user Thursday: written version of the solutions for the midterm and we will talk about assignment 4 3000 class content We didn’t discuss scheduling much : Virtual memory: similar to scheduling since, If you don’t have enough memory , you delete the page that you may want to need at last . Choosing which pages you replace : one-handed and two-handed clocks Power management Security Virtualization : not one thing , vm ware, system which run multiple of kernels. SSH question student asked, how can they know that they have the private key belongs to the pubkey it belongs to: sends a public key or a hash of th Pubkey , then an exchange : yes I have a secret key which can be inverted by the pubkey. Private key must be corresponding. encrypts with thr private key and sends it back
Lecture 22
Synopsis: UID, GUID, EUID, setuid, setguid
What is and isn't permitted on a Linux system?
- a file we create has a user ID and group ID
- i.e. $ touch
- $ which touch
- $ ls -la /bin/touch
- touch is owned by root, but has global execute permissions
- fork and execve don't change the user ID of a process
- when we create a file, system checks user ID/group ID under which a process is running
- if we want to create a file somewhere
- check permissions on the dir
N.B.
- on a dir, execute permissions means you can follow the links on the dir; write permissions mean we can create a file
- to change contents of a directory (i.e. remove a file), the permissions on the file don't matter -> the permissions on the directory do!
- Read permissions let us read the dir, obtain all the file names contained within
- Execute permission lets us pass through the dir when we need to search it to look for a specific filename
- To create a new file in a directory, we need to have write and execute permissions
- exceptions to this:
- $ /etc/passwd
- $ ls -la /etc/passwd
- we have a process running as root, to which we can send a message/request using IPC and request a change
- how to start up a process that has more privilages than we do? -> effective UID
- EUID can be set by special permissions -> sticky bits
- after an execve the resulting process will have it's group and user ID set accordingly
- setting the sticky bit, causes the binary to run as that user
- any files created will have the user's group
- EUID can be set by special permissions -> sticky bits