Protection
Goals of Protection
· Operating system consists of a collection of objects: hardware or software
· Each object has a unique name and can be accessed through a well-defined set of operations
· Protection problem - ensure that each object is accessed correctly and
only by those processes that are allowed to do so
ü Protection guiding principle – principle of least privilege:
Programs, users and systems should be given just enough privileges to perform their tasks
Domain Structure
· Access-right = <object-name,
rights-set>
where rights-set is a subset of all valid operations that can be
performed on the object.
· Domain = set of access-rights
Domain Implementation in UNIX
§ Domain = user-id
§ Domain switch accomplished via file system
ü Each file has associated with it a domain bit (setuid bit)
ü When file is executed and setuid is on, then user-id is set to owner of the file being executed.
ü When execution completes user-id is reset
Examples:
setuid (set user id):
Allows a user to be another user during the execution of a program.
For example:
[antares] ~> cd /usr/bin
[antares] /usr/bin> ls -l passwd
-r-sr-sr-x 1 root sys 27228 Aug 16 2007 passwd
[antares] /usr/bin> ls -l | grep sr
-r-sr-xr-x 1 root bin 31408 Jan 22 2005 login
-r-sr-sr-x 1 root sys 27228 Aug 16 2007 passwd
.........
Run passwd in one window:
[antares] ~> passwd
Run in another window:
[antares] ~> ps -a -o user,ruser,comm
USER RUSER COMMAND
root cs471w passwd
How to setuid of a program:
[antares] ~> chmod u+s program
Example:
% cd /home/cs471w/public_html/code/final-src/chap14
% setuidf
Access Matrix
· View protection as a matrix (access matrix)
· Rows represent domains
· Columns represent objects
· Access(i, j) is the set of operations that a process executing in Domaini can invoke on Objectj
Use of Access Matrix
· If a process in Domain Di tries to do “op” on object Oj then “op” must be in the access matrix
· Access matrix design: separate Mechanism from Policy:
Mechanism
It ensures that the matrix is only manipulated by authorized agents and rules are strictly enforced
Policy
User dictates policy:
Who can access what object and in what mode
Implementation of Access Matrix
·
Each column = Access-control
list for one object
Defines who can perform what operation.
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read
M
·
Each Row = Capability
List (like a key)
Fore each domain, what operations allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Access Matrix With Domains as Objects
transfer – switch from domain Di to Dj