Implementing an authorization policy on I/O level in GNU/Linux

Examensarbete för kandidatexamen

Please use this identifier to cite or link to this item: https://hdl.handle.net/20.500.12380/203643
Download file(s):
File Description SizeFormat 
203643.pdfFulltext1.2 MBAdobe PDFView/Open
Type: Examensarbete för kandidatexamen
Bachelor Thesis
Title: Implementing an authorization policy on I/O level in GNU/Linux
Authors: Green, Jean-Philippe
Holmberg, Mattias
Levenstam, Filip
Tillström, Tobias
Abstract: The purpose of this project has been to implement enhanced functionality for privileged file operations when using graphical programs in the GNU/Linux operating system. Today, administrative tasks are done by acquiring privileges before the program in question is started. One goal of this thesis is to show how to make administration easier, by instead requesting authentication when an operation is to be performed. When working with a text editor such as Gedit, it is often possible to open system files and make changes to the loaded text. Saving these changes will however be impossible, due to the user not having write permission on the file. The ideas presented in this report will give the user the possibility of having this action authorized, making it possible to save. Implementations of these ideas can also enhance the security of the system by allowing less code to be run with elevated privileges. Instead of running Gedit with higher privileges, only the operation to save the changes will be done privileged. Less code running with the power to change system files means that if a vulnerability is found in some part of the system, there is less risk of an attacker using it for an intrusion. The results of this project are twofold: (1) A mechanism has been created for changing a user’s permissions on a file. This acts as a helper program for other programs to use when lacking permissions on a certain file. This helper program uses Polkit for authentication and, if the user is authorized, elevates the user’s permissions on the affected file. The program can now continue to perform the requested file operation. The user’s permissions on the files will be restored after a set amount of time. (2) The other result consists of guidelines on how to complete this task without changing any permissions on files. Instead this alternative solution can offer the same functionality in a more straightforward way. This by relaying the file operations to a custom made backend.
Keywords: Data- och informationsvetenskap;Computer and Information Science
Issue Date: 2014
Publisher: Chalmers tekniska högskola / Institutionen för data- och informationsteknik (Chalmers)
Chalmers University of Technology / Department of Computer Science and Engineering (Chalmers)
URI: https://hdl.handle.net/20.500.12380/203643
Collection:Examensarbeten för kandidatexamen // Bachelor Theses



Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.