Security Principles and Unix System

1- Economy by Design: a piece of software should be as simple as possible to

fulfill its function. The implications of this principle were summarized
decades ago in the “Unix philosophy”. In practice, economy by design is not
always followed. Desktop applications could hardly be farther away from the
Unix philosophy.
2- Fail-Safe Defaults: this principle states that software should be designed to
have intelligent defaults that are safe in themselves and minimize damage in
the case of a crash or intrusion. As an example of a fail-safe default,
the umask command, which sets the default permissions for new files, is never
set so that the owner, the owner’s group, and other users all have the ability
to read and write. More frequently, permissions are set so that other users have
neither read nor write permissions. On systems configured for a higher level
of security, the owner’s group many only be able to read files or not see them
at all.
3- Least Privilege: least privilege states that processes, applications, and users
only should have access to the system resources that are absolutely necessary.
The system of permissions, user accounts, and groups are all based on this
principle, although the setup on Linux is somewhat dated. The use
of sudo extends this principle by only allowing temporary access to
the root command and opening the possibility of spreading administrative
functions over more than one account.
4- Open Design: Unix architecture is public. One major advantage of free
software is that development is public. Anyone can access the code, and the
engineering standards are freely available, which means that with open
design there is a greater chance of improvements or of bugs being detected.
This principle was expressed in Eric S. Raymond’s The Cathederal and the
Bazaar as “given enough eyeballs, all bugs are shallow.” It is named Linus’s
Law in honor of Linus Torvalds.
5- Complete Mediation: UNIX authorization does not provide complete
mediation of all system resources. A famous example for violating the
complete mediation principle by Unix is the following:
“When a UNIX process tries to read a file, the operating system determines if
the process is allowed to read the file. If so, the process receives a file
descriptor encoding the allowed access. Whenever the process wants to read
the file, it presents the file descriptor to the kernel. The kernel then allows the
 access. If the owner of the file disallows the process permission to read the
file after the file descriptor is issued, the kernel still allows access. This
scheme violates the principle of complete mediation, because the second
access is not checked. The cached value is used, resulting in the denial of
access being ineffective.”

6- Separation of Privilege: two examples validate this principle in Unix that are:
- On BSD systems, su users must belong to the wheel group and know the
root password (Written in the course).
- Unix Ad-hoc privilege separation (you can read about it to take a general
overview)
7- Principle of Least Common Mechanism: the example of virtual machines in
the course.
8- Psychological Acceptability: the ssh program allows a user to set up a public
key mechanism for enciphering communications between systems. The
installation and configuration mechanisms for the UNIX version allow one to
arrange that the public key be stored locally without any password protection.
In this case, one need not supply a password to connect to the remote system,
but will still obtain the enciphered connection. This mechanism satisfies the
principle of psychological acceptability (This example is mentioned in the
course).