Lecture 16 Protection

Lecture 16 Protection - View access control as a matrix •...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: View access control as a matrix • Subjects (processes/users) access objects (e.g., files) • Each cell of matrix has allowed permissions 1/33 Specifying policy • Manually filling out matrix would be tedious • Use tools such as groups or role-based access control : dir 1 dir 3 dir 2 2/33 Two ways to slice the matrix • Along columns:- Kernel stores list of who can access object along with object- Most systems you’ve used probably do this- Examples: Unix file permissions, Access Control Lists (ACLs) • Along rows:- Capability systems do this- More on these later... 3/33 Example: Unix protection • Each process has a User ID & one or more group IDs • System stores with each file:- User who owns the file and group file is in- Permissions for user, any one in file group, and other • Shown by output of ls -l command:- user bracehtipdownleftbracehtipuprightbracehtipupleftbracehtipdownright rw- group bracehtipdownleftbracehtipuprightbracehtipupleftbracehtipdownright rw- other bracehtipdownleftbracehtipuprightbracehtipupleftbracehtipdownright r-- owner bracehtipdownleftbracehtipuprightbracehtipupleftbracehtipdownright dm group bracehtipdownleft bracehtipuprightbracehtipupleft bracehtipdownright cs140 ... index.html- Each group of three letters specifies a subset of r ead , w rite , and e x ecute permissions- User permissions apply to processes with same user ID- Else, group permissions apply to processes in same group- Else, other permissions apply 4/33 Unix continued • Directories have permission bits, too- Need write perm. on directory to create or delete a file • Special user root (UID 0) has all privileges- E.g., Read/write any file, change owners of files- Required for administration (backup, creating new users, etc.) • Example:- drwxr-xr-x 56 root wheel 4096 Apr 4 10:08 /etc- Directory writable only by root, readable by everyone- Means non-root users cannot directly delete files in /etc- E x ecute permission means ability to use pathnames in the directory, separate from r ead permission which allows listing 5/33 Non-file permissions in Unix • Many devices show up in file system- E.g., /dev/tty1 permissions just like for files • Other access controls not represented in file system • E.g., must usually be root to do the following:- Bind any TCP or UDP port number less than 1,024- Change the current process’s user or group ID- Mount or unmount file systems- Create device nodes (such as /dev/tty1 ) in the file system- Change the owner of a file- Set the time-of-day clock; halt or reboot machine 6/33 Example: Login runs as root • Unix users typically stored in files in /etc- Files passwd , group , and often shadow or master.passwd • For each user, files contain:- Textual username (e.g., “ dm ”, or “ root ”)- Numeric user ID, and group ID(s)- One-way hash of user’s password: { salt, H ( salt,passwd ) }- Other information, such as user’s full name, login shell, etc....
View Full Document

This note was uploaded on 03/13/2010 for the course CS 02523 taught by Professor Davidmieres during the Winter '10 term at A.T. Still University.

Page1 / 35

Lecture 16 Protection - View access control as a matrix •...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online