• Linux provides a variety of mechanisms for processes to communicate, which can involve notifying

another process about an event or transferring data between processes.

SYNCHRONISATION AND SIGNALS

• Signals are the standard mechanism in Linux for one process to inform a process that an event has
occurred.
• Any process can send signals to another, but restrictions apply to processes owned by different users
• Signals only convey that an event has occurred; they cannot carry additional information.
• Signals are also generated by the kernel (e.g., notifying when a child process ends or a timer expires).
• Processes running in kernel mode don’t use signals to communicate.
• Instead, they use scheduling states and wait queue structures for event notifications.
• When a process waits for an event, it places itself on a wait queue and informs the scheduler that it
is no longer eligible for execution.(it enters a waiting state or blocked state). Once the event occurs,
all processes in the queue are awakened.
• Multiple processes can wait for the same event using a shared wait queue, such as several processes
waiting for data to be read from a disk. Imagine Process A, Process B, and Process C all request to read
data from the same file on the disk. All three processes are added to the same wait queue.
• Once the event occurs (e.g., the disk driver reads the requested data into memory), the kernel triggers
the associated wait queue.
• Thus, all waiting processes are notified and can resume execution.
• Example: Multiple processes waiting to read a file from disk will all be notified once the file is ready.
• Semaphores are another mechanism for process synchronization in Linux, borrowed from System V
UNIX.
• Internally, wait queues synchronize processes communicating through semaphores.
• Advantages of semaphores:
➢ A large number of semaphores can be shared among independent processes.
➢ Operations on semaphores can be performed atomically (all at once without interruption).

• In short, Linux provides flexible tools for processes to notify each other and coordinate, using signals,
wait queues, and semaphores for effective communication and synchronization.
PASSING OF DATA AMONG PROCESSES
• Linux provides multiple ways for processes to share data, depending on the need for speed and
synchronization.
❑ Linux uses the standard UNIX pipe mechanism to pass data between processes.
• Pipes are a simple way to pass data between a parent and child process. Pipes enable a child
process to inherit a communication channel from its parent.
• Data written at one end of the pipe can be read from the other end.
• Pipes use wait queues to synchronize reading and writing.
❑ Networking facilities support or allow processes to send data streams to both local and remote
processes.
❑ Shared memory is an extremely fast mechanism for processes to exchange data.
• Data written by one process to a shared memory region is immediately available to other
processes that have mapped the same region into their address spaces.
• Shared memory alone does not provide synchronization. Processes cannot check if the memory
has been updated or wait for a write to occur without additional synchronization mechanisms.
Additional mechanisms (like semaphores or signals) are needed to coordinate access.
❑ Shared-Memory Objects
• Shared-memory regions in Linux are treated as independent objects, similar to small independent
address spaces, that persist even if no process is using them.
• Linux can save shared memory pages to disk when needed, similar to paging out regular process
memory.
• A shared-memory object acts as a backing store, and its contents persist even if no processes are
currently mapping it into virtual memory.
• Shared-memory regions can behave like memory-mapped files, where page faults load data into
memory when required.
• Key security concerns in linux security:
➢ Authentication: Ensures only authorized users can access the system by verifying their identity.
➢ Access Control: Restricts which users can access specific files or resources and enforces permissions.
• Security Model is based on traditional UNIX security principles.

AUTHENTICATION
• UNIX traditionally used a publicly readable password file for authentication.
• A user’s password was combined with a random “salt” value and passed through a one-way transformation function
before being stored in the password file.
• The one-way function ensured that the original password could not be directly derived from the password file, except
by trial and error.
• During login, the system would recombine the entered password with the stored salt, apply the same transformation,
and compare the result to the stored value to verify the password.
• Drawbacks of the Traditional System:
➢ Passwords were often limited to eight characters.
➢ The limited number of salt values made it easier for attackers to use a dictionary of common passwords combined with
all possible salt values to guess stored passwords.
➢ This approach made the system vulnerable to trial-and-error attacks, potentially leading to unauthorized access.
• Therefore, Password files were made private and no longer publicly readable. Support for longer passwords was
introduced. More secure methods for encoding passwords were developed.
• Additional authentication mechanisms were implemented to restrict the time periods during which users could log in
and distribute authentication information across all related systems in a network.
• A better solution introduced was PAM (Pluggable Authentication Modules).
• PAM (Pluggable Authentication Modules) is a system based on a shared library that any system component can use to
authenticate users.
• It allows authentication modules to be loaded dynamically, as specified in a system-wide configuration file.
• If a new authentication method is introduced, it can simply be added to the configuration file, and all system
components will immediately be able to use it.
• It provides flexibility in specifying authentication methods, account restrictions, session setup functions, and password-
changing functions.
• When users update their passwords, PAM ensures that all relevant authentication mechanisms are updated
simultaneously.
• PAM allows for easier and more centralized management of authentication across the system.
• This approach significantly improved the security and manageability of authentication in UNIX systems.
ACCESS CONTROL
• UNIX/Linux systems use User Identifiers (UIDs) and Group Identifiers (GIDs) for access control.
• A UID identifies a single user or their access rights, while a GID identifies access rights shared by a group of users.
• Access control applies to various objects, including files, shared-memory sections, and semaphores.
• Every object in the system has a UID and GID. Processes also have a UID and potentially multiple GIDs.
• Access rights are granted based on these identifiers:
➢ If a process's UID matches the object's UID, the process has owner rights.
➢ If a process's GID matches the object's GID, it has group rights.
➢ If neither match, the process has world rights.
• Objects have a protection mask specifying access modes (read, write, execute) for three categories: owner, group, and
world.
• For eg: The owner might have full access (read, write, execute), Group members might only have read access,
Everyone else (world) might have no access.
• The root UID (administrator) bypasses all access control checks and can access any object or perform privileged
operations.
• Root privileges include accessing kernel resources and performing system-level tasks like opening reserved network
sockets.
• The setuid mechanism allows programs to temporarily run with different privileges than the user running them.
• Example: The ‘lpr’ program (for printing) can access print queues even if the user cannot.
• Processes have two types of UIDs:
➢ Real UID: The user's actual ID.
➢ Effective UID: The ID the process uses while executing.
• Saved UID Mechanism allows a process to switch between its real UID and effective UID without permanently
changing either.
• A program can perform most tasks in a low-privilege mode and only enable full privileges when necessary.
• Fsuid and Fsgid Mechanism allow a process to access files on behalf of another user without adopting the user’s full
identity.
• Useful for server processes to handle user files without being vulnerable to user actions (e.g., being suspended or
killed).
• Linux allows processes to selectively pass access to specific files to other processes via file descriptors. When two
processes are connected through a local socket, one can send the other a file descriptor for an open file. This
mechanism ensures fine-grained privilege delegation:
• For example, a print client can give a print server access to specific files to print without granting access to all user
files.