Skip to content
My Docs

Security and Access Control

Category: Advanced Operating System Concepts
Type: Operating System Concept
Generated on: 2025-07-10 03:03:36
For: System Administration, Development & Technical Interviews

Security and Access Control Cheatsheet (Advanced OS Concepts)

Section titled “Security and Access Control Cheatsheet (Advanced OS Concepts)”

1. Quick Overview:

Security and Access Control is the set of mechanisms within an operating system that protect system resources (files, memory, devices) from unauthorized access, use, modification, or destruction. It ensures confidentiality, integrity, and availability of data. Its importance lies in preventing malicious attacks, accidental data loss, and maintaining system stability and trustworthiness. Without proper access control, a system is vulnerable to compromise.

2. Key Concepts:

  • Subject: An entity (user, process) that attempts to access a resource.
  • Object: A resource (file, directory, memory segment, device) that the subject wants to access.
  • Access Right: A permission (read, write, execute, delete) that a subject has on an object.
  • Access Control List (ACL): A list associated with an object, specifying which subjects have what access rights to that object.
  • Capability List: A list associated with a subject, specifying what access rights the subject has to which objects.
  • Principle of Least Privilege (POLP): Granting subjects only the minimum necessary access rights to perform their tasks.
  • Authentication: Verifying the identity of a subject. (e.g., username/password, biometrics, certificates).
  • Authorization: Determining whether an authenticated subject is allowed to access a specific resource.
  • Security Policy: A set of rules that defines what actions are allowed and disallowed.
  • Security Mechanism: The implementation of a security policy (e.g., ACLs, Capabilities, Mandatory Access Control).
  • Discretionary Access Control (DAC): Access control is determined by the owner of the object. (e.g., Unix file permissions).
  • Mandatory Access Control (MAC): Access control is determined by a central authority based on security labels assigned to subjects and objects. (e.g., SELinux).
  • Role-Based Access Control (RBAC): Access control is based on roles assigned to users.
  • Multi-Level Security (MLS): A system that handles information at different security levels (e.g., classified, secret, top secret).

3. How It Works:

a) Access Control Matrix:

A conceptual model representing access rights. Rows represent subjects, columns represent objects, and entries represent the access rights.

             |  File A  |  File B  |  Process X |
-------------+----------+----------+------------+
  User 1    |  Read    |  Write   |  Execute   |
  User 2    |          |  Read    |            |
  Process Y |  Read    |          |            |

b) Access Control Lists (ACLs):

Each object has a list detailing which subjects can access it and how.

File A:
    User 1: Read
    Process Y: Read

c) Capability Lists:

Each subject has a list detailing which objects they can access and how.

User 1:
    File A: Read
    File B: Write
    Process X: Execute

d) Typical Access Control Flow:

Subject --(Access Request)-->  Access Control Module --(Policy Check)--> Object


                                     ^
                                     |
                                     (Authentication & Authorization)
  1. Subject Request: A user or process attempts to access a resource.
  2. Authentication: The system verifies the identity of the subject (e.g., password check).
  3. Authorization: The system checks if the authenticated subject is authorized to perform the requested action on the specified object. This involves consulting the access control policy (ACLs, Capabilities, MAC rules).
  4. Policy Check: The access control module enforces the security policy.
  5. Access Granted/Denied: Based on the policy check, access is either granted or denied.

e) Discretionary Access Control (DAC) Example (Unix File Permissions):

ls -l myfile.txt
-rw-r--r--  1 user  group  1024 Jan 1 00:00 myfile.txt
  • -rw-r--r--: Represents the permissions.
    • First character: file type (e.g., - for regular file, d for directory).
    • Next 3 characters: Owner permissions (Read, Write, Execute).
    • Next 3 characters: Group permissions (Read, Write, Execute).
    • Last 3 characters: Others permissions (Read, Write, Execute).
  • user: The owner of the file.
  • group: The group associated with the file.

How DAC Works:

  1. The owner can change the permissions of the file using chmod.
  2. The system checks the owner, group, and other permissions to determine if access is granted.

f) Mandatory Access Control (MAC) Example (SELinux):

In SELinux, every subject and object is assigned a security label (context). The system enforces access control based on these labels and a predefined policy. Common labels include type, role, and sensitivity level.

  • Example: A process labeled user_t might only be allowed to access files labeled user_home_t.

4. Real-World Examples:

  • Operating System Login: Username/password authentication grants access to the system.
  • File System Permissions: Restricting access to sensitive files (e.g., configuration files, password databases).
  • Database Access Control: Granting different users different levels of access to database tables and views.
  • Web Server Authentication: Using HTTPS and user accounts to protect web pages and resources.
  • Firewalls: Controlling network access based on IP addresses, ports, and protocols.
  • Virtualization: Limiting the resources that a virtual machine can access.
  • Cloud Computing: Using IAM (Identity and Access Management) to control access to cloud resources.
  • Mobile Operating Systems (Android, iOS): Using permissions to control access to sensitive device features (e.g., camera, location).

5. Common Issues:

  • Privilege Escalation: An attacker exploiting a vulnerability to gain higher privileges than intended.
  • Weak Passwords: Easy-to-guess passwords can be compromised.
  • Misconfigured Permissions: Incorrectly configured ACLs can grant unauthorized access.
  • Social Engineering: Tricking users into revealing their credentials or granting access.
  • Insider Threats: Malicious or negligent employees can bypass security measures.
  • Buffer Overflows: Exploiting memory vulnerabilities to execute arbitrary code.
  • SQL Injection: Exploiting vulnerabilities in database queries to gain unauthorized access.
  • Denial-of-Service (DoS) Attacks: Overwhelming the system with requests to make it unavailable to legitimate users.
  • Phishing: Tricking users into revealing sensitive information through fake emails or websites.

Troubleshooting Tips:

  • Review Access Logs: Examine logs to identify suspicious activity.
  • Regularly Audit Permissions: Check and update ACLs to ensure they are correct.
  • Use Strong Passwords: Enforce strong password policies and use multi-factor authentication.
  • Keep Software Up-to-Date: Patch vulnerabilities promptly.
  • Implement Intrusion Detection Systems (IDS): Monitor network traffic for suspicious patterns.
  • Use Firewalls: Control network access to the system.
  • Educate Users: Train users on security best practices.
  • Principle of Least Privilege: Always grant the minimum necessary permissions.

6. Interview Questions:

  • What is access control? Why is it important?
    • Answer: Access control is the mechanism for protecting resources from unauthorized access. It is important for maintaining confidentiality, integrity, and availability.
  • Explain the difference between authentication and authorization.
    • Answer: Authentication verifies the identity of a user, while authorization determines if that user has permission to access a specific resource.
  • What are ACLs and Capability Lists? How do they differ?
    • Answer: ACLs are associated with objects and specify which subjects have what access rights. Capability lists are associated with subjects and specify what objects they can access and how.
  • What is Discretionary Access Control (DAC)? Give an example.
    • Answer: DAC is where the owner of an object controls access to it. Unix file permissions are a classic example.
  • What is Mandatory Access Control (MAC)? Give an example.
    • Answer: MAC is where a central authority controls access based on security labels. SELinux is a good example.
  • Explain the Principle of Least Privilege.
    • Answer: Granting subjects only the minimum necessary access rights to perform their tasks.
  • What are some common security vulnerabilities?
    • Answer: Privilege escalation, weak passwords, misconfigured permissions, buffer overflows, SQL injection, etc.
  • How would you secure a web server?
    • Answer: Use HTTPS, strong authentication, regularly update software, implement a firewall, and monitor access logs.
  • Explain Role-Based Access Control (RBAC).
    • Answer: Access is based on the role a user has within an organization. Permissions are assigned to roles, and users are assigned to roles.
  • What is Multi-Level Security (MLS)?
    • Answer: A system that handles information at different security levels (e.g., classified, secret, top secret), preventing lower-level users from accessing higher-level information. Subjects and objects are assigned security levels.

Example Scenario & Answer:

Question: You are a system administrator. A user complains that they can’t access a file that they believe they should have access to. How would you troubleshoot this issue?

Answer:

  1. Verify Authentication: First, I’d confirm that the user is properly authenticated and logged in.
  2. Check Permissions (DAC): I would examine the file’s permissions using ls -l. I’d check if the user is the owner, part of the group, or if “others” permissions grant the necessary access. If the user is not the owner or in the appropriate group, I’d consider adding them to the group or changing the permissions (if appropriate and following security policies).
  3. Check ACLs (If applicable): If ACLs are enabled on the file system (e.g., using getfacl and setfacl on Linux), I’d check the ACL entries to see if the user has explicit access granted or denied.
  4. Consider MAC (If applicable): If SELinux or AppArmor is enabled, I’d investigate the security context of the file and the user’s process to see if MAC policies are preventing access. Tools like audit2allow can help diagnose and resolve SELinux denials.
  5. Check Group Membership: I would verify the user’s group memberships using the groups command to ensure they are in the correct group for accessing the file.
  6. File System Mount Options: I’d check the mount options of the file system (e.g., using the mount command) to see if there are any restrictions preventing access (e.g., noexec, nosuid).
  7. Logs: I would examine system logs (e.g., /var/log/auth.log, /var/log/syslog) for any error messages related to access denials.
  8. Principle of Least Privilege: Before granting any permissions, I would carefully consider the Principle of Least Privilege and ensure that the user is only granted the minimum necessary access to perform their job. I would document any changes made to the permissions or ACLs.
  9. Communicate with the User: Throughout the troubleshooting process, I would communicate with the user to keep them informed of the progress and to gather any additional information that might be helpful.

7. Further Reading:

  • Operating System Concepts (Silberschatz, Galvin, Gagne): Chapter on Security.
  • Security Engineering (Ross Anderson): A comprehensive resource on security principles.
  • SELinux Cookbook (Sven Vermeulen): A practical guide to SELinux.
  • NIST Special Publications: NIST provides numerous publications on security and access control.
  • OWASP (Open Web Application Security Project): Resources for web application security.
  • CIS (Center for Internet Security) Benchmarks: Configuration guidelines for securing various systems.
  • Linux Documentation Project: Information on Linux security features.