The operating system is a go-between, between the physical
machine and the users/programs.
If you take a big picture view of a computer, you get three
things:
- the physical computer
- the operating system
- the user and programs running on the user's behalf
You should understand what I mean by "the physical machine", and
you should certainly understand "the user". What's meant by
"programs running on the user's behalf" is simply that when you
want to, for example, check e-mail, you launch the
e-mail program. So that email program is communicating over
networks, printing files, etc, on your behalf.
So what's the Operating System? On your laptops it's Windows,
if you own an iphone, it's iOS or if you have another smartphone
it might be Android, on the computer I'm using as I type this,
it's Linux. The operating system is a very special
program. It manages all the programs running on the computer
and acts as an intermediary between those programs (or the user)
and the physical machine. Neither the user nor a regular
program manipulates a resource like the hard drive directly.
Instead, they ask the operating system to manipulate the
resource on their behalf. In this lesson we'll learn a bit
about operating systems.
NASA's Curiosity Mars explorer
You might wonder what OS gets used for something like NASA's
Curiosity robot, which is exploring Mars as we speak.
It's not one of the major PC or mobile OSs we talk about in
SI110! Check out
this
article which describes the hardware and OS on the
Curiosity. It includes a 10+ year-old CPU, and an OS that was
initially released in 1985, but it has to be able to handle
extremes in temperature, radiation, navigate an alien world on
its own, and communicate with engineers so far away light itself
takes 14 minutes to make the trip ... one-way!
What is an Operating System
An Operating System (OS) is a program (or collection of
programs) that manage the physical computer and the programs
that run on it.
There are many different OS's out there, and you may be
passingly familiar with several
 |
MS Windows - your laptops "run Windows 7", meaning that
the OS is MS Windows version 7 |
 |
Unix - Unix is actually a family of OS's. The CS
department web server runs a Unix variant called Linux.
Apple's Mac OS X is a variant of Unix. Linux is going to
play a role in this course. It's what's called
Open Source, which means that people are free to modify it
to suit their needs. A lot of security-related tools
are built this way, i.e. they're variants of Linux.
|
 |
iOS - Apple's iPhone, iPod Touch and iPad all run an
operating system called iOS, which is designed for smaller
"mobile devices". |
 |
Android - many smart phones run Google's Android OS,
which is another OS built specifically for mobile devices. |
Because the OS manages the computer and all the programs that
run on the computer, it is of critical importance to security.
It can restrict what programs and users do to make sure they
can't cause too much trouble on the system. Conversely though,
when OS's have security flaws, it's a really big
problem.
Here is a recent example.
Services the OS Provides
The OS provides services to Users and programs — it does
things they need done that they cannot or are not allowed to
do for themselves. Some important kinds of OS-provided
services are:
- file operations — the OS manages all the different
storage-related peripherals, like hardrives, flash drives,
DVD's, etc. Only the OS can truly create, modify, read
and destroy files.
-
network connections — only the OS can actually send
or receive data to/from a computer's ethernet port (wired)
or WiFi radio (wireless). A program that wishes to send
data over a network has to ask the OS to do it on the
program's behalf.
-
user accounts, permissions and logins — the OS
ensures that users login properly, and that they can only
access the things they're supposed to.
-
processes — more about this below. The important
thing here is that the OS manages the programs as they
execute, scheduling when each program gets to use the CPU
to progress in its execution.
The OS generally provides three ways for programs and users to
access its services:
- the GUI —
GUI means "graphical user interface",
basically this is the stuff you click on or use
your fingers on a touch screen to interact with.
For example, in Windows you can right-click on a file
name in the file browser, choose the "rename" option in
the resulting menu, type in a new name, and then press
enter. This asks the OS to change the file's name on the
hard drive for you.
The GUI is an OS interface pretty much only for users, not for programs.
- shell commands —
The shell allows commands for the OS to be entered as plain text
strings. For example, in the Windows shell (called
Command Prompt), to change the name of a file currently named
foo.txt to bar.txt, you would type:
move foo.txt bar.txt
The shell is an OS interface for both programs and users.
-
the API — API stands for Application Programming
Interface. It is a very direct way for an executing
program to ask the OS to do something on its behalf.
The API is an interface exclusively for programs.
The Windows shell can be accessed by
clicking on the start button
and choosing
Command Prompt
File Systems
You cannot understand information systems without understanding
a bit about file systems. Files and folders are organized
hierarchically on your computer. In Windows, you have a
separate hierarchy for each Drive Letter, which is a
letter followed by a colon. Normally,
different drive letters correspond to different devices,
perhaps C: is your hard drive, E: is
your DVD drive, F: may be what gets assigned
to your camera when you plug it in (a camera has a drive with a
filesystem for storing its photos). A file (or folder)
is not defined uniquely by its name! Instead, it is
defined uniquely by the path from the top or the
hierarchy down to the file (or folder) in question, where the
names in the path are separated by backslashes (\'s).
You can navigate these file hierarchies in Windows by
clicking on the start button
and choosing Computer from the right-hand side of
the list that pops up. What you see at first is a screen with
icons for each of the drive letters available on your system.
Double click on C: and what you see is a list of
all the files and folders that comprise the next level down in
the hierarchy rooted at C:. Double click on
Users and what you see is a list of
all the files and folders that comprise the next level down
from C:\Users. Double click on your user name,
and then on Desktop after that. You're now fairly
far down in the hierarchy. If there was a file
named foo.txt here, its path would be
C:\Users\m17xxxx\Desktop\foo.txt
and while there
may be many files named foo.txt on your system,
there's only one with that exact path. BTW: In the file
viewer, if you click on the icon at the far left of the
address bar at the top, it prints out the path for you.
Key Points
- files and folders are arranged hierarchically
- every file and folder has a place in the hierarchy
So when you save a file in Word or download a file
using your browser, those files get put somewhere in your
filesystem, and you need to start becoming cognizant of where!
- every file and folder is uniquely named by its path
- in a file viewer window, you see the contents of one
folder, the current folder, and the address bar
describes the path to the current folder
This is an example of what your laptop's filesystem looks
like (in part).
- C:\
- Program Files\
- SI110Programs\
- Users\
- Administrator\
- m179999\
- Public\
- Windows\
In this example hierarchy above, you see that there are three
files named "hello.txt". There is no conflict, however,
because they are in different directories (folders). Their
full path names are:
C:\Users\m179999\Desktop\hello.txt
C:\Users\m179999\Downloads\hello.txt
C:\Users\Public\hello.txt
The basic file system operations are to create or delete files
and folders, to move (i.e. rename) files and folders, and to
copy files and folders. By now, you are probably familiar
with how to do these kinds of things using Windows' GUI —
technically, using
Windows Explorer.
A brief look at the structure of a shell command
A shell command consist of a name, zero or more arguments,
and zero or more options. For example:
move /-Y C:\Users\billy\Downloads\vacation.jpg photos\archive\vacation.jpg
---- --- ------------------------------------- ----------------------------
\ \ \ \
\ \--- option \--- argument \--- argument
\
\--- name
- command name - this names the thing you
actually want done.
In fact, a shell command is a
request to have a program executed, and name
is literally the name of the program you want
executed. (Note: There are exceptions, i.e. situations
where the command is built-in to the shell itself, and not a
separate program to be executed. Which is beyond
the scope of this course.)
- command arguments - these provide the command
with the information it needs to operate, for example if
the command is to move a file, the arguments tell the
command what file to move, and where to move it
- command options - these are special arguments start with a
/
or -
character in Windows (with a - character in
Unix) and they modify the operation of the given command
Note: Normally space separates arguments, but " "s
allow you to make an arbitrary string (including spaces) a
single argument. So, for example, the command
mkdir foo bar
creates two directories, foo
and bar, while the command
mkdir "foo bar"
creates a single directory named
foo bar.
Note that this is different from
mkdir "foo bar"
which creates a single directory named
foo bar.
File Systems Operations with the Shell
The GUI's file viewer has a current folder
that it's in at any given point in time. The shell works the
same way, and its current folder is displayed to the left of
the command prompt. You hop from one drive letter hierarchy to
the next by typing the drive letter and colon then pressing
enter.
You list the contents of the current folder with
dir.
To move down in the hierarchy from your current drive letter,
you type cd followed by the name of the folder
you want to move down into. (cd stands for "change directory",
"directory" being the Unix name for "folder".) The argument
to cd doesn't need to be a name, it could be a
path (starting from the current folder) several folders deep,
it could be ".", which make cd do nothing, it could be ".."
which makes cd go up a level in the hierarchy rather than down.
In fact, "..\.." or "..\..\..", etc are allowed for going up
multiple levels in a single step. Also we have
mkdir argument1 — which makes
a new folder named argument1 in the current folderdel argument1 — which deletes
the file named in the argument.rmdir argument1 — which deletes
the folder named in the argument.copy argument1 argument2
—
makes a copy of the file named in the first argument, and
gives the copy the name provided by the second argumentmove argument1 argument2
—
renames the file named in the first argument using
the name provided by the second argumenttype argument1 — prints the
contents of the file argument1 to the screen.
Don't try this on a non-text file!
The arguments to these commands can be relative paths,
i.e. paths that are relative to the current folder,
or absolute paths, i.e. paths that begin with a drive
letter and thus are interpreted the same way regardless of the
current folder.
Processes
You can get a list of all the process currently running on
your system:
a) press control+alt+delete,
b) choose Start Task Manager,
c) click on the Processes tab,
d) select Show processes form all users
Recall that a program is really
just a file, a file that contains the instructions the CPU
is supposed to execute. A running instance of a program is
called a process and, for the moment, you may
think of a process as consisting of the program + which
instruction in the program you're currently at. The same
program could be executing more than once simultaneously.
In this case you'd have many processes that were executing
instances of the same program.
User accounts, logins, permissions
When the Task
Manager shows processes, it lists the User name
Every process has a username attached to it
(that user is called the process's owner)
— typically the name of the user that caused the program
to be run.
Every file and folder also has a username attached to it (that
user is called the file's owner).
In the shell, the
command dir /Q
lists all folders and files along with their owners' usernames.
Normally, the OS denies a process any
request it might make to manipulate a file or folder
unless the username attached to the process matches the username
attached to that file or folder. Why just "Normally"? Because
each file has a set of permissions —
essentially rules defining which users can perform what kinds of
actions — that are adjustable by the file's owner, and the
owner can use those rules to change this behavior.
To view a file's permissions in Windows:
- Right click on the file in question and select Properties.
- Click on the Security tab.
- View the permissions on that file. Modify carefully!
m179999 was really
launched at the behest of the person whose username
is m179999. That means that the login procedure is
very important.
The Operating System manages user accounts, logins and
process/file permissions. This job is crucially important for
security. If user m179999 is allowed to launch a
process whose owner is listed as m178888
... well, we've got trouble. That would give
user m179999 access to m178888's
files.
The rights that a user has to access files is constrained.
Generally, however, there will be one account with unlimited
rights (so, for example, they can read every file on the
system, regardless of the usual user permission schemes).
A user with these unlimited rights is called ... wait for it
... Superuser!
There may be an actual superuser account (on Unix systems this
is the account with username root), or regular
users may be able to run a program with superuser privileges
(we often say elevated privileges to communicate that
the program/user can do more than they normally could)
using a special password.
In Windows 7, a User Account Control dialog box opens
up when a program asks to run with elevated privileges.
In Unix, a command is prefaced with sudo
(super-user do) to run with elevated privileges.
The ultimate prize in attacking a single computer is to be
able to run programs with superuser privileges, because then
you own that machine.
In particular, if you can launch a shell with superuser
privileges, you win.
IT Officer
The local area network available for crew member
use on naval vessels allows for collaboration and sharing of files
through the use of a file sharing. Users (the crew) log in to any one of
the available computers onboard to use it.
A typical use of the LAN is
creating and reviewing personnel fitness reports and evaluations, which
are subject to privacy protection. Although the operating system provides
access control to files, the file owners must specify which users should
and should not have access. The concept of least privilege should be
applied in this case.
The only user that is immune to file permissions is the
superuser. Because of this immunity, the number of people with
superuser privileges should be kept at a minimum. The superuser account
should only be used, as necessary, to perform system
administration tasks, such as daily system log reviews.
Depending on the command, any officer could be placed in
charge of the ship's network administrator(s) and, therefore, be given
superuser privileges. With that power comes serious responsibility.
Responsibility to use the elevated privilege,
as required, to perform system administrative tasks.