File Operations

All file operations have a standard PBS check for the validity of the file. If a file with that name does not exist, the system call is disallowed.

File Mode

With conventional security, the mode of any file can be changed using the chmod command by root or the file owner. A malicious user can do harm if a harmful file is given execute permission and executed in the system. PBS does not allow changing the mode of a file to execute unless the process possesses the PBS-specific change mode access right (PBS_CHMOD).

File Deletion

In normal Linux systems the deletion of a file is quite a simple process. The only checks made by the operating system are for the permission bits and owner of the file and its directory. If the ancestor directory permits its children to be changed by any user or group, then any of the directory’s descendents can be deleted by that user or group. In contrast, the PBS system deletion of a file has far more rigid requirements. A process can delete a file only if it is required to do so. We might also say the process has a PBS-specific delete access right for that particular file (PBS_DELETE_FILE).

System V IPC

System V Interprocess Communication (IPC) objects can be of three kinds: System V message queues, semaphore sets, and shared memory segments. When accessing such objects, the rules of the normal security system are as follows:

• if a process has root privileges, access is always granted (DANGEROUS!)
• if the process’ EUID is the owner or creator UID of the object, then the creator permission bit is checked to see if access can be granted.
• if the process’ EGID is the owner or creator GID of the object, or one of the process’ groups is the owning or creating GID of the object, then the creator group permission bit is checked to see if access can be granted.

However, in the PBS system even more restrictions are enforced on the IPC message system.

• If a process is trying to create a new message queue using the msgget() system call, it is denied access.
• If a process is trying to send a message using the msgsnd() system call, it requires PBS-specific write file access (PBS_WRITE_FILE).
• If a process is trying to receive message using the msgrcv() system call, it requires PBS-specific read file access (PBS_READ_FILE).
• If a process invoked the message control system call msgctl(), in order to access the IPC_SET option, it should possess PBS-specific access right for queue resizing (PBS_QUEUE_RESIZE) and for IPC_RMID option, it should possess PBS-specific access right for file delete (PBS_DELETE_FILE).

Signals

A process can set a signal on another process (by using the kill system call). The other process would receive and handle the signal asynchronously. In order for a process to send a signal to any arbitrary process, it should either have root privileges, or the effective (or real) user ID of the sending process must equal the real or set user ID of the receiving process. PBS places another check in the kill system call. Further, PBS does not allow sending signals to the init process (process with PID 1), or the current process.

Process Trace

The ptrace system call can be used for tracing the progress of a process. PBS does not allow ptrace-ing the current process. Also, for any process to ptrace another process, it should possess (PBS_TRACE) access right.