1 / 8

Access Control

Access Control. Many models. Traditional Unix model Windows model Role-based access control (SE Linux) ‏ Access control for confidentiality (Bell-La Padula model) ‏ other models All based on subject/object nomenclature. Traditional Unix model. Based on users and groups

eris
Télécharger la présentation

Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control

  2. Many models • Traditional Unix model • Windows model • Role-based access control (SE Linux)‏ • Access control for confidentiality (Bell-La Padula model)‏ • other models • All based on subject/object nomenclature.

  3. Traditional Unix model • Based on users and groups • Both users and groups have an external “name” and an internal id number • Each user gets membership in a collection of groups. • user id number 0 is “special” or “privileged” and has access to the whole machine. uid 0 usually has the name root, but that can (should) be changed.

  4. Unix model (cont)‏ • Objects (files, devices, etc. have a uid and a gid assigned to them. They also have a set of permission bits assigned to them. • Subjects (processes) have a “real” and an “effective” user id; in addition, they have a “real” and an “effective” group id; usually the real and the effective uid/gid are the same, but not always. • Files have permission bits assigned to them,

  5. Unix model (cont; permission bits) • Every file has three groups of three bits each. • The three groups represent: • user • group • other • The three bits represent: • read • write • execute

  6. More bits • There are 3 more bits associated with each file: • setuid • setgid • sticky/text bit

  7. Unix model (cont: setting and changing permissions)‏ • When a file is created a mode is specified; the actual mode given to the file is the result of mode & ~umask • The chmod command/system call can be used to change the permission bits. • The chown command/system call can be used to change file ownership. • Some unices have a “newgrp” command/system call to change the gid of the process.

  8. Unix Access control programming • chmod/fchmod have two arguments second one is mode, S_Ixwwy, where x is one of S or RWX, wwy is UID, GID, VTX, USR GRP OTH • Don't use chmod, to prevent race conditions. • chown/fchown have three args: file, user, grp. • Don't use chown, to prevent race conditions. • A newgrp is never necessary to change a group. • umask sets and changes umask

More Related