Tuesday, October 23, 2007


Aspects of computer security: Authorization and Access Control

This is the third post in the series about computer security, and for today’s installment:

2. Authorization —- What am I allowed to do?

3. Access control —- What data am I allowed to get to, change, create, delete?

I group these two together because they’re closely related: they both deal with what the entity you authenticated as can do once you’ve “logged in”. I consider them separate, because different mechanisms usually control each.

When I talk about authorization, I’m usually referring to actions that an authenticated user is allowed to take. Can you start and stop services, such as a web server or a file transfer server? Can you shut the computer down? Can you add and remove users from a multi-user system? Can you send mail, install programs, change the system time, or set various other operational aspects of a computer?

Access control refers not to actions, but to access to data. What files can you read? Can you create new files? What files can you modify or delete?

We’ll collectively call what you’re authorized to do and what access you’re allowed, “privileges”.

On many computer systems, particularly those set up to be used by one person, there are two kinds of users: administrators and normal users (non-administrators). The former can do anything, and can get full access to all files. The latter are restricted in what they can do. On Windows systems prior to Vista, the lone user is generally set up as an administrator. People who’ve tried to do otherwise have often run into difficulty, because software (non-Windows software, that is — applications) assume that the user’s privileges aren’t restricted. On MacOS, certain actions (such as updating the OS) and access to some files require that an administrator password be entered, essentially re-authenticating the user as an administrator. And for some things on MacOS, as on Linux, you have to authenticate as the “root” user.

On the Internet, too, there are privileges. By logging into my gmail account on my web browser, I’m allowed to send, read, and delete mail, to post to my blog and to edit and delete blog posts, and to send and receive instant messages. I can post comments to other blogs that use Blogger, and I can later delete those comments, but not those of other users. On my own blog, I can delete anyone’s comments, because I have that access to my own blog. If I authenticate with my Yahoo! account I can manipulate my Flickr photos, and by using other authentication I can access my credit cards, bank accounts, airline frequent-flier programs, and so on.

It’s clear why we need to have restrictions on privileges over the Internet, but... why should I want to limit my privileges on my own computer? Well, that should be clear to anyone who’s made a mistake and deleted something accidentally, or gotten their computer infected with a virus while surfing the web: if you don’t have privileges that you don’t need right now, you can’t accidentally use those privileges to hurt yourself (well, to hurt your computer).

There’s a rule of thumb that one should never be operating with more privileges than one needs at the time. Most of us go around creating, modifying, and deleting personal files all the time, so we normally want access to that. But how often do we need to delete files in the Windows directory, or in the System directory on MacOS? Seldom. And so we’d like to avoid having that access unless we specifically ask for it.

And now we get back to something I said at the end of the post on authentication: that authentication should be separate form authorization and access control. The right way to run a computer system is to have me authenticate as Barry, and then to have privileges set up for what Barry can do and access. That sets us up with auditability and accountability. If I want someone to be able to post to my blog and moderate comments in my absence, rather than giving him my gmail password, allowing him to act as me in all ways (and read my mail too, for instance), I should make sure he has his own gmail account, and then give that account the privileges needed to manage my blog — but not my email.

No comments: