CS283 - Lecture 4 - Part 2 - AccessControlLists

CS283 - Lecture 4 - Part 2 - AccessControlLists - Lecture 4...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon
GWU CS 172/283 Autumn 2009 Sources: Memon’s notes, Brooklyn Poly Bishop’s Text, Chapter 15 Bishop’s slides, Chapter 15 Text by Pfleeger and Pfleeger, Chapter 4 Lecture 4 – Part 2 - Access Control Lists
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 2 Access Control Mechanisms Access Control Matrix Access Control List Capability based access control Lock and Key based access control. Rings-based access control
Background image of page 2
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 3 Access Control Lists Instead of using ACM, Access Control List (ACL) . Essentially store each column of ACM with the object it represents. Definition: Let S be set of subjects and R the set of rights of a system. An access control list l is a set of pairs l = {(s, r): s S, r R} Let acl be a function that determines the access control list associated with a particular object o. Acl(o) = {(s i , r i ) : 1 i n} means that subject s i may access o using any right in r i .
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 4 Access Control Lists: example Columns of access control matrix file1 file2 file3 Andy rx r rwo Betty rwxo r Charlie rx rwo w ACLs: file1: { (Andy, rx) (Betty, rwxo) (Charlie, rx) } file2: { (Andy, r) (Betty, r) (Charlie, rwo) } file3: { (Andy, rwo) (Charlie, w) }
Background image of page 4
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 5 Abbreviated ACL’s Although same amount of storage, it is now distributed. To further reduce storage, one can abbreviate ACL’s as in UNIX. One can also assign default access to groups of subjects as well as specific rights to individual subjects. Two ways of doing this: 1) What is not prohibited is permitted 2) What is not permitted is prohibited. Latter always better!!
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 6 Default Permissions Normal: if not named, no rights over file Principle of Fail-Safe Defaults If many subjects, may use groups or wildcards in ACL UNICOS: entries are ( user , group , rights ) If user is in group , has rights over file ‘*’ is wildcard for user , group (holly, *, r): holly can read file regardless of her group (*, gleep, w): anyone in group gleep can write file
Background image of page 6
GWU CS 172/283 - Autumn 2009 Holmblad - Lecture 04 – Part 2- Rev 20090929 7 Accessing Files User not in file’s ACL nor in any group named in file’s ACL: deny access ACL entry denies user access: deny access Take union of rights of all ACL entries giving user access: user has this set of rights over file
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Holmblad - Lecture 04 – Part 2- Rev 20090929 8 Example - File Protection in Unix UNIX - allow read, write, execute, delete to each of the individual groups - owner, group, world
Background image of page 8
Image of page 9
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 10/30/2009.

Page1 / 28

CS283 - Lecture 4 - Part 2 - AccessControlLists - Lecture 4...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online