* UNIX OSes
  - multitasking (многозадачна)
  - multiuser (многопотребителска)
  - portability (преносимост)

* Архитектура
  = Kernel
    - Управление на hardware
    - Управление на паметта
    - Управление на процесите
    -- kernel modules
  = User space
    - Unix Shell
    - Daemons
    - Безброй малки програмки

* Преглед на механизмите за сигурност в Unix OSes
  = Потребители
    - UID, GID, Additional groups
    - Special users / root (UID == 0)

  = Процеси (обяснение какво е daemon и какво е process)
    * RUID, RGID - real UID and GID of the user on whose
      behalf the process is running

    * EUID, EGID - effective UID and GID used for
      privilege checks (except for the filesystem)

    * SUID, SGID - Saved UID and GID; used to support
       switching permissions ``on and off'' as discussed below.
       Not all Unix-like systems support this

    * supplemental groups - a list of groups (GIDs) in
      which this user has membership. In the original version
      7 Unix, this didn't exist - processes were only a member
      of one group at a time. BSD added support for a list of
      groups in each process.

    * umask - a set of bits determining the default access control
      settings when a new filesystem object is created

    * scheduling parameters - each process has a scheduling policy. man nice

    * limits - per-process resource limits.

    * filesystem root - the process' idea of where the root filesystem ("/")
      begins; see chroot(2).

   Less common attributes

    * FSUID, FSGID - UID and GID used for filesystem access checks; this is
      usually equal to the EUID and EGID respectively. This is a Linux-unique
      attribute.

    * capabilities - POSIX capability information; there are actually three
      sets of capabilities on a process: the effective, inheritable, and
      permitted capabilities.

 = Обекти във файловата система (FSOs)
    * файлове
    * директории
    * символни връзки (symbolic links)
    * FIFOs (named pipes)
    * sockets
    * devices

  Атрибути
    - owning UID and GID (собственик) (само root потребителя може да сменя собственика)

    - permission bits (read, write, execute) за всеки един от (owner, group, other)
      - кратко обяснение за осмична бройна система, кой bit как се смята
      - rwxr-xr-x == 755

      In directories, the ``read'' permission is necessary to display a directory's contents,
      while the ``execute'' permission is sometimes called ``search'' permission and is
      necessary to actually enter the directory to use its contents. In a directory ``write''
      permission on a directory permits adding, removing, and renaming files in that directory;

    - sticky bit (+t)
      When set on a directory, unlinks (removes) and renames of files in that directory are
      limited to the file owner, the directory owner, or root privileges.

    - setuid, setgid (u+s, g+s)

    - timestamps (access time, modify time, creation time)

    Linux unique

    - Immutable bit
    - Append only bit

    - ACLs

 = System V IPC
    - message queues
    - semaphore sets
    - shared memory segments

    * read and write permissions for each of creator, creator group, and others.
    * creator UID and GID
    * owning UID and GID

 = Signals
   For a process to have permission to send an arbitrary signal to some other process,
   the sending process must either have root privileges, or the real or effective user
   ID of the sending process must equal the real or saved set-user-ID of the receiving
   process.

   - SIGURG

* Authentication
 = Потребители и пароли
   /etc/passwd
   /etc/shadow

   - BSD вариации по темата
   - PAM

* Limits
 = Quotas and limits

* Auditing
   - syslogd
   - wtmp, utmp, lastlog

* Security Extensions
 = Jail (Linux vservers)
 = Usermode linux

* Generic атаки
 - /tmp race conditions (symlink attacks)
 - атаки върху SUID файлове
 - разбиване на пароли който не са в shadow файл