4. Sharing files in Unix. (25 pts) Alice wants to be able to share read and write access to some of her files on a Unix system) with dynamically changing sets of users. Since she is not root, she can't just construct new groups for each file, nor can she turn on the optional ACL feature available on some systems. So she decides to use setuid programs that will implement ACLs for sharing files with her friends. Alice's design calls for two setuid-Alice, world-executable programs (i.e., programs that anyone can run, and which execute with her privileges) named alice-write and alice-read. She specifies that the programs should operate as follows: alice-write [in] [out] first checks a permission file written by Alice to make sure that the real uid of the process that of the calling user) is allowed to write to the file out. If so, then the program reads the file in and writes it over out. alice-read [in] [out] first checks a permission file written by Alice to make sure that the calling user is allowed to read the file in. If so, the the program reads in and writes it to the file out. Alice sat in on the first few weeks of 5271, so she also knows to be careful about implementing programs like this. She knows there should be no buffer overflows in alice-read and alice-write, that the permissions file should be uniquely named in the program and modifiable only by her, and that the programs should only accept files paths listed in the permissions file. Before she goes off to hire someone to implement her design, she asks you to critique it. Point out some remaining security problems with Alice's design. For instance, suppose Bob can read and write some of Alice's files but not others; can he use alice-write and alice-read to gain access to files he shouldn't? Are there potential attacks that could allow third parties to read/write Alice's files? Does any security-relevant part of Alice's design seem vague or unclear? To avoid the problems you've identified, suggest design changes to the interface and/or the implementation of alice-write and alice-read. 4. Sharing files in Unix. (25 pts) Alice wants to be able to share read and write access to some of her files on a Unix system) with dynamically changing sets of users. Since she is not root, she can't just construct new groups for each file, nor can she turn on the optional ACL feature available on some systems. So she decides to use setuid programs that will implement ACLs for sharing files with her friends. Alice's design calls for two setuid-Alice, world-executable programs (i.e., programs that anyone can run, and which execute with her privileges) named alice-write and alice-read. She specifies that the programs should operate as follows: alice-write [in] [out] first checks a permission file written by Alice to make sure that the real uid of the process that of the calling user) is allowed to write to the file out. If so, then the program reads the file in and writes it over out. alice-read [in] [out] first checks a permission file written by Alice to make sure that the calling user is allowed to read the file in. If so, the the program reads in and writes it to the file out. Alice sat in on the first few weeks of 5271, so she also knows to be careful about implementing programs like this. She knows there should be no buffer overflows in alice-read and alice-write, that the permissions file should be uniquely named in the program and modifiable only by her, and that the programs should only accept files paths listed in the permissions file. Before she goes off to hire someone to implement her design, she asks you to critique it. Point out some remaining security problems with Alice's design. For instance, suppose Bob can read and write some of Alice's files but not others; can he use alice-write and alice-read to gain access to files he shouldn't? Are there potential attacks that could allow third parties to read/write Alice's files? Does any security-relevant part of Alice's design seem vague or unclear? To avoid the problems you've identified, suggest design changes to the interface and/or the implementation of alice-write and alice-read