The UNIX system has been in wide use for over 20 years, and has helped to define many areas of computing.
Other global resources associated with a process include space to record information about descriptors and page tables that record information about physical-memory utilization.
so you think i'm right
oh hell yeah
One important responsibility of an operating system is to implement access-control mechanisms.
that's right. i'm the RAM bouncer
Most of these access-control mechanisms are based on the notions of individual users and of groups of users.
this part is fine on its own, but why the hell is everything global
UIDs are the basis for accounting, for restricting access to privileged kernel operations, (such as the request used to reboot a running system), for deciding to what processes a signal may be sent, and as a basis for filesystem access and disk-space allocation.
literally no problems at all with any of this except that it's global
This scheme enforces a strict compartmentalization of privileges
the problem here is with privileges being global
Each file has three sets of permission bits
see this is a fucking absurd waste of space and it's because the filesystem has to be ready at all times to fend off attackers
literally why should EPERM even exist at all???? why would i ever want to know about data i can't read?
Often, it is desirable to grant a user limited additional privileges.
oh this is gonna be good
To solve this problem, the kernel allows the creation of pro-
grams that are granted additional privileges while they are running.
✅✅✅ this was one of the vulns last week
Systems can use setuid and setgid programs to provide controlled access to files or services.
false.
Naturally, such programs must be written carefully to have only a limited set of functionality!
see he's laughing at the audience
The previous real UID is still maintained as the real UID when the new effective UID is installed. The real UID, however, is not used for any validation checking.
these are REAL PERMISSIONS SEMANTICS, written by REAL KERNEL DEVS
The drawback to this approach was that the real and effective UIDs could easily become confused.
this is when you reconsider
An additional identifier is defined by the kernel for use on machines operating in a networked environment.
an identifier? just for me?
This value is intended to be defined uniquely for each machine in a network.
literally why
In addition, in the Internet domain-name system, each
machine is given a unique 32-bit number.
mysterious
Sessions were designed by the IEEE POSIX. 1003.1 Working Group with the intent of fixing a long-standing security problem in UNIX
false, POSIX only creates long-standing security problems
As a process executes, it uses system resources, such as the CPU and memory.
these can only be known retroactively
The kernel tracks the resources used by each process and compiles statistics describing this usage.
imagine if processes declared these and gave them to the kernel
The I/O activity statistics are collected each time that the process has to start a transfer to fulfill a file or device I/O request
literally so self-defeating
