OSDev.org

Let's say Bob on computer A saves a file on a removable drive that properly keeps track of file permissions. The removable drive is placed in computer B, and accessed by a user named Bob. Is Bob A the same person as Bob B? Maybe, maybe not -- we don't know. So the username is not how we should keep track of the file's owner.

Instead, a hash of the user's password should be saved with the file as part of any intelligent filesystem. If Bob B knows Bob A's password, that indicates they are the same person.

Should Bob B have to type in his password every single time he accesses his files from his other computer? No. Computer B should keep track of the fact that he is also Bob A. But keeping A's hash on computer B doesn't really work: A malicious user could simply copy the hash from the removable drive to the hash file and gain access to files they do not own. Instead, when B types in his password from computer A, the actual password needs to be encrypted and saved.

My question is: is this a security risk? Normally passwords aren't actually saved, only their hashes are. Is there a better way to do this?

File ownership on a removable drive makes no sense. If Bob saves a file to such a drive and then gives the drive to Eve, Eve is now entirely in control of those files. She can read them, change them, pass them on to her friend Julian, whatever. This is a social problem that cannot be solved technically.

In particular, even with password hashes, Eve can plug the drive into her own personal computer and use admin access (if need be by means of a hex editor) to overwrite the password hash with one she knows the input for. if Bob wants to make sure Eve can't read the files, encryption is going to be his only remedy.

Besides, it is a pretty simple concept for most people to understand, that if you possess a data medium, you also possess everything on it. That is also why a bad old file system like FAT is acceptable for everything from a floppy to a USB thumb drive.

File ownership makes us much sense on a "removable" drive as it makes on any other drive. HDD's are removable too, just not as easily.

There's two separate concepts here, owning something and enforcing your rights as owner. Ownership is a social contract and one you can enforce thru legal systems, in addition you can do extra enforcement, like encryption for data, security guards for your house, etc.

Given that hashes are a cryptographic tool and you know about it, then why not just use encryption? If Bob has the key, then he can open the files on any machine he wants to.

Let's assume first of all that ownership of files on removable media makes sense (I think it does). Obviously, linking this to a user name is far too insecure, which is why OSs don't do that. I can't see that just using a password is much more secure; it's quite likely that the same account on different computers will have different passwords - or different accounts may have the same password - unless some SSO system is used.

*nix systems use the UID to identify an account, Windows uses UUIDs. In combination with a password these offer reasonable security, but also encrypting the data would seems to be the most secure, particularly if the encryption password differs from the sign-on password.

LtG wrote:File ownership makes us much sense on a "removable" drive as it makes on any other drive. HDD's are removable too, just not as easily.

I have to agree with you there, but probably not in the way you though of. Let me elaborate.

The purpose of a removable medium is transportation (if you don't store data on removable media in order to easily transport them, then why don't you use a really big hard disk plonked down in the corner of the room?) And this is where we get into problems. There is no concept of a User that can exist outside of an OS instance. For instance, all the users on my laptop are created, in the end, by my /etc/passwd file. The next system has a completely different /etc/passwd, or uses LDAP in a corporate network. The third system is a Windows and has its mapping between UIDs and Users set out in registry (and they have really complicated UIDs, but that's beside the point).

Therefore, I myself have a user instance in the corporate network of my employer, and a completely different user instance on my laptop. And probably, yet another one in the network of the University I used to attend. Or maybe they deleted that on graduation.

Now I save a file onto a USB thumb drive in my laptop. Conceptually, that file belongs to my user in the laptop. If I now take the same thumb drive to my work computer, if all OSes cooperated on this, it would have to deny me access, since the file is owned by my private laptop user, and not my corporate network user. Since neither domain knows about the other domain, and I aim to keep it that way, my laptop cannot give the file over to my corporate account, and neither can the work computer seize control of the file, since it can't know who it is taking the file away from (if it can seize the file, then it can seize whatever files I present to it on a USB stick, whether it is mine or not).

Now let's reverse the situation: A file on a USB stick is owned by my corporate user. In theory, I can't access the file on my laptop. But since I am local admin on my laptop (I also happen to be local admin on my work computer, but let's pretend I wasn't), I can change file ownership at will, and change file permissions.

In fact the very concept of admin privilege becomes really complicated once multiple computers get involved. If I can seize a file on a thumb drive in my laptop, why can't I in my work computer?

The only thing that could cure this ill would be a global user database, where each real person has an entry. Such a thing does not exist, and nor should it. It sounds Orwellian. Who would run it? The government? I am not aware of any government in the world that has enough competency to tell their right hand from their left, given three tries; and simultaneously enough integrity to run such a database entirely dispassionately, never using it to, say, punish people they don't like ("no more computer access to for you, wrongthinker"). I trust those people about as far as I can throw a freight train.

Also bear in mind that this was just me taking a file from one computer to another. I did not even send it to anyone else. Of course, that also happens a lot, that I create a file on a thumb drive, then give it to someone else. Or receive a file or set of files in this way. But still multiple users are involved.

And this was all just an example involving a theoretical FS with users recognized by multiple OSes. Now let's switch to practice, shall we? I'll format a thumb drive with ext2 then put a file on there, on my laptop. The file belongs to UID 1000, which is usually the UID of the first real user in a Linux system, and most laptops are single-user.

Then I take the USB stick to my work computer, where it is still read as UID 1000. But since the work computer is part of the corporate network, that UID is looked up in the LDAP, and suddenly, someone completely different owns the file. Someone with absolutely no claim to the file.

Or another example: I buy a DVD and stick it in the drive. Which user owns the video files on there?

That is why a userless FS like FAT or ISO 9660 (or UDF) is preferable on removable media. In those media, the files are owned by whatever user mounted the medium, which is perfectly sensible: It means file ownership exists on these device as long as they are attached to the system.

That much for the concept of file owners. As for security: Security is defined by the things that can't happen. The security part of the concept of file owners was supposed to make it impossible for one user to read or modify the files of another. The enforcement happens in the computer system the medium is attached to. If an eavesdropper were to get ahold of the medium, they can plug it into whatever computer system they deem fit (they control it entirely), and thus circumvent whatever protections you may envision. Therefore the only way to prevent unauthorized access to your files on a removable drive, is to encrypt (to prevent read access) and sign them (to prevent write access). Because you can't trust whatever computer system the medium will end up in.

This is also true of HDDs, which is why the concept of file owners of the files contained on them is routinely circumvented when such a drive is seized by the authorities. It doesn't matter if the eavesdropper has a badge or not, if they have access to the medium then they have access to everything on it. The entire security concept of UNIX with regards to file ownership and file permissions is contingent on the drive never leaving the computer system (that is, the user namespace). Once it does, the entire thing becomes meaningless.

@nullplan, not sure what your underlying point was.. But a couple of thoughts:
1) A User can exist outside of an OS instance, though practical reasons dictate that you need some system to access User specific data on modern storage mediums. Still, it would exist outside a specific OS.
2) Creating a global LDAP won't help, since anyone could still use a machine that doesn't adhere to that and thus read your files.
3) While the risks are slightly different for desktop vs laptop vs usb-drive, they're fundamentally the same, a storage medium. Only way to secure them is encryption.

FAT isn't preferable on removable media for the person using it, it's preferable for manufacturers because it's easier/cheaper. I doubt anyone would prefer losing "ownership" to their pictures when a camera is lost for instance. Manufacturers of course prefer not having to solve a problem, coz it's cheaper.

On a film DVD the copyright holder of the film in question owns it, you license a right to watch it. That's pretty close to what they did, though IIRC one manufacturer messed up and the decryption keys were leaked.

LtG wrote:@nullplan, not sure what your underlying point was.

That file ownership models on removable media make no sense.

LtG wrote:A User can exist outside of an OS instance,

How? I specifically meant the OS's abstraction called "user". It necessarily has to be OS-specific. And it is usually even instance specific. On my laptop, UID 1000 happens to stand for me, on yours, probably not so much. Even if we had the exact same OS, this would still be the case.

LtG wrote:FAT isn't preferable on removable media for the person using it, it's preferable for manufacturers because it's easier/cheaper.

The manufacturers of the media don't really care what you put on there. FAT is the default because anything from the IBM 5150 upwards can read it.

LtG wrote:I doubt anyone would prefer losing "ownership" to their pictures when a camera is lost for instance.

This is just technology acknowledging reality. You loose your camera, and all the pictures in it are gone as well (until it is returned). Doesn't really matter what the FS on the memory card says. Also, please don't mix up the technical term "file ownership" with the legal concept of "ownership". The two have nothing to do with each other. To wit:

LtG wrote:On a film DVD the copyright holder of the film in question owns it, you license a right to watch it.

Legally, that is true. But the copyright holder doesn't have a user account on my system.

LtG wrote:That's pretty close to what they did, though IIRC one manufacturer messed up and the decryption keys were leaked.

I'm not sure I get what you're saying here. Legally, the film is still owned by the publisher (usually, anyway), and you own a licence to watch it. The DVD crypto wars is a whole other discussion that would digress too far even for me.

What about a network drive? I'd call that removable. And I certainly have user permissions set on my network drives.

nullplan wrote:That file ownership models on removable media make no sense.

How does it not make sense? Are you saying that people using removable media don't want ownership? Or that it's technically impossible?

nullplan wrote: How? I specifically meant the OS's abstraction called "user". It necessarily has to be OS-specific. And it is usually even instance specific. On my laptop, UID 1000 happens to stand for me, on yours, probably not so much. Even if we had the exact same OS, this would still be the case.

The problem you seem to face is with UID mapping to two different users on two different directories run by two different entities. Get rid of the UID and you won't have that problem anymore.

If a User has to be OS specific, then why don't File's have to be? How is it that most OS's can work with FAT (and other FS's) just fine? Or bitmaps? Just create a FS that itself contains the needed info for Users and use encryption to enforce rules.

Encryption of course doesn't protect you from somebody deleting all your files, but they can just as easily put a hammer to your SSD and destroy the data that way.

nullplan wrote: This is just technology acknowledging reality. You loose your camera, and all the pictures in it are gone as well (until it is returned).

Rather it's bad tech, there's no good reason why the data couldn't be protected with encryption.

Consider this:

When transferring a file via FTP, SCP, or whatever, there are two user accounts connected with each other -- the one that has the local file (sender), and the one being given the file (receiver).

The sending and the receiving "user" do not have to be accounts of the same person. Indeed, they usually aren't: The receiver might be a "technical" user (webserver?), or a different user of my team for example. Usually, this transfer also includes a change in accessibility of the file. The file is being made available in some way it wasn't before.

The permission for the transfer, including the permission for the accessibility change, is handled by the access protocol. I have to either authenticate myself (push), or deliberately put the file in some "server directory" where it can be accessed (make available for pull). Both sides, in some form, have agreed on the "rules" for the transfer. The protocol is established at both ends before the first file is ever transferred.

The point with removable media is that sending and receiving is asynchronous, as is the protocol. I am storing a video file on my USB stick. At this point, it is not clear whether that video is to be read by my mobile, my television, transferred to my wife's user account on a different computer, given to a media company to turn into a DVD, uploaded to a webserver, {endless possibilities}. There is no protocol.

Now, any scheme that would result in "strong" ownership of the file would require that all recipients, for all conceivable purposes past and future, would have to agree on that ownership handling. Just looking at Windows vs. Linux user / permission handling should show that this is an absolutely ludicrous idea, not even taking the millions of embedded applications into account. Strong ownership would require my SAT receiver to have a notion of user IDs and accounts when recording a TV show to USB drive. Really?

Plus, most operating systems have the concept of a "superuser", which is usually allowed to override just about every access restriction.

Hence, file ownership on removable media is a bonus for when you are moving the media between systems of one established network with consistent user management (IDs, access rights etc.). Like I do with the USB sticks we use in the family. If my son saves a file on his personal stick and my daughter gets a hold of it, she'll see that the files are owned by her brother, and won't have access to them. Because all the systems in the house use the same user IDs, as do the personal sticks.

But the generic sticks, those used for getting a video from computer to television or a recording from television to computer, don't. One, because the television doesn't have (or need) user accounts, just one PIN required for access and another required for rated content. Two, because the television doesn't "speak" a file system that could handle the kind of owner / permission data used by our desktops' OS (Linux). Here, another filesystem (FAT) with no strong ownership is used, and I think that's the correct way to do it, because the protocol is not yet established when writing the file.

Any restricting protocol / ownership for files on removable and generically interchangeable devices must therefore be implemented on top of such a permissive filesystem / ownership scheme. If A is faced with the challenge of securely passing data (only B can be the recipient) over an insecure channel (removable media to which C might get access), the solution is (quite obviously) an encryption protocol already established between A and B.

Bottom line, there's use cases for ownership on removable media, but this not "strong" -- a superuser will be able to override those settings. But for security among non-priviledged users, it's enough.

But for the USB stick in your pocket, used to get file Z from X to Y and do {whatever} with, strong ownership is not only unachievable, but indeed counterproductive.

nullplan wrote:... Eve is now entirely in control of those files. She can read them, change them, pass them on...even with password hashes, Eve can plug the drive into her own personal computer and use admin access (if need be by means of a hex editor) to overwrite the password hash... encryption is [the] only remedy.

If I leave my front door unlocked, a thief could come into my house and steal all my stuff. That makes a good case for keeping my front door locked, but it does not make a good case against having laws that prohibit stealing.

When writing an OS we get to decide what the "law" on the computer is. Allowing theft because people weren't smart enough to lock their stuff up doesn't make sense.

iansjack wrote:Let's assume first of all that ownership of files on removable media makes sense (I think it does). Obviously, linking this to a user name is far too insecure, which is why OSs don't do that. I can't see that just using a password is much more secure; it's quite likely that the same account on different computers will have different passwords - or different accounts may have the same password - unless some SSO system is used.

*nix systems use the UID to identify an account, Windows uses UUIDs. In combination with a password these offer reasonable security, but also encrypting the data would seems to be the most secure, particularly if the encryption password differs from the sign-on password.

A UUID was my initial idea, but that by itself is problematic. How does Bob B, UUID 0x12345678 demonstrate that he is Bob A, UUID 0x87654321? Typing in his UUID doesn't work; he likely doesn't even know it. And any way he has to figure it out is available to everyone else too. That's why I settled on a password hash (or, more correctly, a hash of a salt + password + pepper -- salt works out to be basically the same thing as a UUID)

nullplan wrote:

LtG wrote:File ownership makes us much sense on a "removable" drive as it makes on any other drive. HDD's are removable too, just not as easily.

I have to agree with you there, but probably not in the way you though of. Let me elaborate.

The purpose of a removable medium is transportation (if you don't store data on removable media in order to easily transport them, then why don't you use a really big hard disk plonked down in the corner of the room?) And this is where we get into problems. There is no concept of a User that can exist outside of an OS instance. For instance, all the users on my laptop are created, in the end, by my /etc/passwd file. The next system has a completely different /etc/passwd, or uses LDAP in a corporate network. The third system is a Windows and has its mapping between UIDs and Users set out in registry (and they have really complicated UIDs, but that's beside the point).

Therefore, I myself have a user instance in the corporate network of my employer, and a completely different user instance on my laptop. And probably, yet another one in the network of the University I used to attend. Or maybe they deleted that on graduation.

Now I save a file onto a USB thumb drive in my laptop. Conceptually, that file belongs to my user in the laptop. If I now take the same thumb drive to my work computer, if all OSes cooperated on this, it would have to deny me access, since the file is owned by my private laptop user, and not my corporate network user. Since neither domain knows about the other domain, and I aim to keep it that way, my laptop cannot give the file over to my corporate account, and neither can the work computer seize control of the file, since it can't know who it is taking the file away from (if it can seize the file, then it can seize whatever files I present to it on a USB stick, whether it is mine or not).

Now let's reverse the situation: A file on a USB stick is owned by my corporate user. In theory, I can't access the file on my laptop. But since I am local admin on my laptop (I also happen to be local admin on my work computer, but let's pretend I wasn't), I can change file ownership at will, and change file permissions.

In fact the very concept of admin privilege becomes really complicated once multiple computers get involved. If I can seize a file on a thumb drive in my laptop, why can't I in my work computer?

This brings up an interesting question about how things should work. Going back to my Bob and his computers, it makes sense that Admin A can change Bob A's file permissions -- the Admin is above the user. But when Admin A has articulated to computer B that a file on the removable drive belongs to Bob A, does it make sense for OS B to allow Admin B to override that? Admin B is equal to, not above, Admin A.

I don't think you should be able to seize files that aren't yours -- even with Admin privileges.

nullplan wrote: The only thing that could cure this ill would be a global user database, where each real person has an entry. Such a thing does not exist, and nor should it. It sounds Orwellian. Who would run it? The government? I am not aware of any government in the world that has enough competency to tell their right hand from their left, given three tries; and simultaneously enough integrity to run such a database entirely dispassionately, never using it to, say, punish people they don't like ("no more computer access to for you, wrongthinker"). I trust those people about as far as I can throw a freight train.

A hash of a UUID + password or salt + password uniquely identifies a user with no global database.

nullplan wrote: Also bear in mind that this was just me taking a file from one computer to another. I did not even send it to anyone else. Of course, that also happens a lot, that I create a file on a thumb drive, then give it to someone else. Or receive a file or set of files in this way. But still multiple users are involved.

Yes, if the files are intended to be accessed by others they should be marked as public.

nullplan wrote: And this was all just an example involving a theoretical FS with users recognized by multiple OSes. Now let's switch to practice, shall we? I'll format a thumb drive with ext2 then put a file on there, on my laptop. The file belongs to UID 1000, which is usually the UID of the first real user in a Linux system, and most laptops are single-user.

Then I take the USB stick to my work computer, where it is still read as UID 1000. But since the work computer is part of the corporate network, that UID is looked up in the LDAP, and suddenly, someone completely different owns the file. Someone with absolutely no claim to the file.

That's why UID is a terrible way to determine ownership. Hence salt + password hash.

nullplan wrote: Or another example: I buy a DVD and stick it in the drive. Which user owns the video files on there?

The files should be marked as public, since their intention is to be owned by anyone who has the disk

nullplan wrote: That is why a userless FS like FAT or ISO 9660 (or UDF) is preferable on removable media. In those media, the files are owned by whatever user mounted the medium, which is perfectly sensible: It means file ownership exists on these device as long as they are attached to the system.

That much for the concept of file owners. As for security: Security is defined by the things that can't happen. The security part of the concept of file owners was supposed to make it impossible for one user to read or modify the files of another. The enforcement happens in the computer system the medium is attached to. If an eavesdropper were to get ahold of the medium, they can plug it into whatever computer system they deem fit (they control it entirely), and thus circumvent whatever protections you may envision. Therefore the only way to prevent unauthorized access to your files on a removable drive, is to encrypt (to prevent read access) and sign them (to prevent write access). Because you can't trust whatever computer system the medium will end up in.

Yes, obviously setting a bit that says "you can't read this" isn't really gonna stop anyone from reading any files. However...

nullplan wrote:
This is also true of HDDs, which is why the concept of file owners of the files contained on them is routinely circumvented when such a drive is seized by the authorities. It doesn't matter if the eavesdropper has a badge or not, if they have access to the medium then they have access to everything on it. The entire security concept of UNIX with regards to file ownership and file permissions is contingent on the drive never leaving the computer system (that is, the user namespace). Once it does, the entire thing becomes meaningless.

Should there be no file ownership on HDDs because the system can be circumvented?

Solar wrote: Now, any scheme that would result in "strong" ownership of the file would require that all recipients, for all conceivable purposes past and future, would have to agree on that ownership handling. Just looking at Windows vs. Linux user / permission handling should show that this is an absolutely ludicrous idea, not even taking the millions of embedded applications into account. Strong ownership would require my SAT receiver to have a notion of user IDs and accounts when recording a TV show to USB drive. Really?

If your SAT receiver understands FAT and the USB is formatted to FAT and there's no concept of UIDs anyway, there's no issue. If your USB is formatted to NewFilesystemThatSupportsUUIDs and the SAT receiver doesn't understand NewFilesystemThatSupportsUUIDs, again there's no real issue (it'll tell you it doesn't understand the FS). Any OS which does understand the new file system would be able to handle it properly -- as is the case with any FS. There would be no trouble taking the USB stick to/from Linux computers, Windows computers, work vs home, etc.

Solar wrote: Plus, most operating systems have the concept of a "superuser", which is usually allowed to override just about every access restriction.

Which I think is the wrong way to do it.

Solar wrote: Hence, file ownership on removable media is a bonus for when you are moving the media between systems of one established network with consistent user management (IDs, access rights etc.). Like I do with the USB sticks we use in the family. If my son saves a file on his personal stick and my daughter gets a hold of it, she'll see that the files are owned by her brother, and won't have access to them. Because all the systems in the house use the same user IDs, as do the personal sticks.

But the generic sticks, those used for getting a video from computer to television or a recording from television to computer, don't. One, because the television doesn't have (or need) user accounts, just one PIN required for access and another required for rated content. Two, because the television doesn't "speak" a file system that could handle the kind of owner / permission data used by our desktops' OS (Linux). Here, another filesystem (FAT) with no strong ownership is used, and I think that's the correct way to do it, because the protocol is not yet established when writing the file.

The reason to use FAT is because the TV doesn't understand other FSes, not because you need a FS with no permissions. Any FS with permissions should also have the concept of a userless file, one that is accessible to anyone, for situations where that is what you want.

Solar wrote: Any restricting protocol / ownership for files on removable and generically interchangeable devices must therefore be implemented on top of such a permissive filesystem / ownership scheme. If A is faced with the challenge of securely passing data (only B can be the recipient) over an insecure channel (removable media to which C might get access), the solution is (quite obviously) an encryption protocol already established between A and B.

Bottom line, there's use cases for ownership on removable media, but this not "strong" -- a superuser will be able to override those settings. But for security among non-priviledged users, it's enough.

But for the USB stick in your pocket, used to get file Z from X to Y and do {whatever} with, strong ownership is not only unachievable, but indeed counterproductive.

I'll certainly agree the user ownership isn't strong -- it essentially amounts to a bit that tells others to keep out. But any honest OS should honor that bit.

azblue wrote:

Solar wrote:Plus, most operating systems have the concept of a "superuser", which is usually allowed to override just about every access restriction.

Which I think is the wrong way to do it.

But this is the core, the crux of the issue. Anybody could write an FS module that supports your FS, but ignores its UID / permissions. You might consider that questionable from an ethic standpoint, but it's a simple technological fact.

The basic assumption in system security is, and rightly so IMO, that if you lost physical control of a system (or a medium) you're hosed security-wise anyway. Any attempt to make it otherwise is, basically, either "security through obscurity" (a.k.a. "futile") or a massive breach of privacy, placing the authority to decide what may or may not happen on / with your computer to some remote (authorization) entity.

Hence, I consider it "not a problem at all" to forgo file ownership on removable media, except for convenience / protection-from-noob-user purposes (as I layed out in my previous post).

azblue wrote:Should there be no file ownership on HDDs because the system can be circumvented?

The file ownership on HDDs is there to allow the OS to control file access while the HDD is running under your OS. IMHO, there is no "circumvention" involved when I take that HDD and plug it into a different computer, accessing the files while ignoring whatever your OS added in file ownership / permission flags, because your OS is not in command at that point.

The "system" you are referring to that has been circumvented there is the physical control over the drive. It's not the job of the OS, or FS, to assist with that.