The UNIX system has been in wide use for over 20 years, and has helped to define many areas of computing.
Often, it is desirable to grant a user limited additional privileges.
oh this is gonna be good
To solve this problem, the kernel allows the creation of pro-
grams that are granted additional privileges while they are running.
✅✅✅ this was one of the vulns last week
Systems can use setuid and setgid programs to provide controlled access to files or services.
false.
Naturally, such programs must be written carefully to have only a limited set of functionality!
see he's laughing at the audience
The previous real UID is still maintained as the real UID when the new effective UID is installed. The real UID, however, is not used for any validation checking.
these are REAL PERMISSIONS SEMANTICS, written by REAL KERNEL DEVS
The drawback to this approach was that the real and effective UIDs could easily become confused.
this is when you reconsider
An additional identifier is defined by the kernel for use on machines operating in a networked environment.
an identifier? just for me?
This value is intended to be defined uniquely for each machine in a network.
literally why
In addition, in the Internet domain-name system, each
machine is given a unique 32-bit number.
mysterious
Sessions were designed by the IEEE POSIX. 1003.1 Working Group with the intent of fixing a long-standing security problem in UNIX
false, POSIX only creates long-standing security problems
As a process executes, it uses system resources, such as the CPU and memory.
these can only be known retroactively
The kernel tracks the resources used by each process and compiles statistics describing this usage.
imagine if processes declared these and gave them to the kernel
The I/O activity statistics are collected each time that the process has to start a transfer to fulfill a file or device I/O request
literally so self-defeating
If a process exceeds certain soft limits, a signal is delivered to the process to notify it that a resource limit has been exceeded.
what if this didn't happen because the process resources were isolated from the start
Normally, this signal causes the process to terminate, but the process may either catch or ignore the signal.
signals are so crazy
If the process ignores the signal and fails to release resources that it already holds, further attempts to obtain more resources will result in errors.
omg YOU'RE THE OS!!!!! WHY ARE YOU LETTING THE PROCESS TROLL YOU
i'm really feeling this "process isolation lets you preallocate all resources" vibe
omg it even has i/o ACCOUNTING but not DECLARING
For historic reasons, the same floating-point-conversion routine processes the count of disk operations, so the number of disk operations must be multiplied by 64 before it is converted to the floating-point representation.
that's normal
Finally, the accounting records fail to include much information needed to do accurate billing, including usage of other resources, such as tape drives and printers.
can't tell if this is funny or scary. unsure
The kernel supports the illusion of concurrent execution of multiple processes by scheduling system resources among the set of processes that are ready to execute.
completely fucking backwards. processes become ready to execute as a result of scheduling their system resources
