Computer Security: Art and Science

28.9 Exercises

1:
Consider the isolated system described in the first example in Section 28.2.1. If custodians and other people not authorized to use the isolated system were allowed into the room without observation, would that violate policy component U1? Justify your answer.
2:
Reconsider the lock program discussed in Section 28.2.3.

The program requires a user to choose a password (rather than using her login password) to lock the screen. Does this violate the principle of psychological acceptability (see Section 13.2.8)? Justify your answer.
If a user forgets her password, how might she terminate the program without using the master password? (Hint: Although she cannot use that terminal, she can use another terminal to access the system.)
How might a user determine the master password? Discuss steps that the implementer could take to prevent such a discovery. In particular, could a per-system master password be implemented (rather than a single master password for the program)? How?
3:
The example of Peter and Deborah on the UNIX system in Section 28.3.1 assumes that Deborah is the only member, or that Deborah and Peter are the only members, of a group. If this is not so, can Peter give only himself and Deborah access to the file by using the abbreviated ACL? Explain either how he can or why he cannot.
4:
Suppose that Deborah, Peter, and Kathy are the only members of the group proj and that Deborah, Peter, and Elizabeth are the only members of the group exeter. Show how Peter can restrict access to the file design to himself and Deborah using only abbreviated ACLs. (Hint: Consider both design and its containing directory.)
5:
The UNIX umask disables access by default. The Windows scheme enables it. Discuss the implications of enabling access by default and of disabling access by default with respect to security. In particular, which of Saltzer and Schroeder's design principles [865] (see Chapter 13, "Design Principles") is violated by either enabling or disabling access by default?
6:
Many UNIX security experts say that the umask should be set to 077 (that is, to allow access only to the owner). Why? What problems might this cause?

Top

1:	Consider the isolated system described in the first example in Section 28.2.1. If custodians and other people not authorized to use the isolated system were allowed into the room without observation, would that violate policy component U1? Justify your answer.
2:	Reconsider the lock program discussed in Section 28.2.3. The program requires a user to choose a password (rather than using her login password) to lock the screen. Does this violate the principle of psychological acceptability (see Section 13.2.8)? Justify your answer. If a user forgets her password, how might she terminate the program without using the master password? (Hint: Although she cannot use that terminal, she can use another terminal to access the system.) How might a user determine the master password? Discuss steps that the implementer could take to prevent such a discovery. In particular, could a per-system master password be implemented (rather than a single master password for the program)? How?
3:	The example of Peter and Deborah on the UNIX system in Section 28.3.1 assumes that Deborah is the only member, or that Deborah and Peter are the only members, of a group. If this is not so, can Peter give only himself and Deborah access to the file by using the abbreviated ACL? Explain either how he can or why he cannot.
4:	Suppose that Deborah, Peter, and Kathy are the only members of the group proj and that Deborah, Peter, and Elizabeth are the only members of the group exeter. Show how Peter can restrict access to the file design to himself and Deborah using only abbreviated ACLs. (Hint: Consider both design and its containing directory.)
5:	The UNIX umask disables access by default. The Windows scheme enables it. Discuss the implications of enabling access by default and of disabling access by default with respect to security. In particular, which of Saltzer and Schroeder's design principles [865] (see Chapter 13, "Design Principles") is violated by either enabling or disabling access by default?
6:	Many UNIX security experts say that the umask should be set to 077 (that is, to allow access only to the owner). Why? What problems might this cause?