Transcript Access Control List

CE01000-3 Operating
Systems
Lecture 21
Operating Systems
Protection with examples
from Linux & Windows
Overview of lecture

In this lecture we will look at:







Goals of Protection
Domains of Protection
Access Control Matrix
Implementation of Access Matrix
Access Control Lists & Capability Lists
Windows approach
Unix/Linux approach
Protection




Computer system consists of a collection of
components - hardware or software
We want each component to be accessed
through a well-defined set of operations.
Protection problem - ensure that each
component is accessed correctly and only by
those processes that are allowed to do so.
Protection is the mechanism for controlling
access to computer resources.
Goals of protection

Goals of Protection are:



Increase reliability of systems that use shared
resources
Prevent mischievous activity
Detect malfunctions before they contaminate
the system.
Domains of protection



An access rights grants the authority to
perform an operation on some object.
A domain is a set of objects and access
rights within which a process operates.
Domains can share access rights; multiple
domains can have some access to the same
object.
Domain Structure

Access-right = <object-name, set-of-rights>
set-of-rights is a subset of all valid operations
that can be performed on the object.
Example Domain
Implementations

Unix consists of 2 types of domain:




User
Superuser/root
Domain determined by user-id
Domain switch accomplished via file system.


Each file has associated with it a domain bit (setuid
bit).
When file is executed and setuid = on, then user-id is
set to owner of the file being executed. When
execution completes user-id is reset.
Access Control Matrix
(ACM)
 For each domain list all objects and access
rights to them
 Represented as a matrix (Access Control
Matrix) with entry i,j representing access
rights within domain i to object j
 Normally conceived of as access rights of user i to
object j
Access Control Matrix
(ACM)
Figure 1
Use of ACM


If a process in Domain Di tries to do “op” on
object Oj, then “op” must be in the access matrix.
Can be expanded to include changes to
protections themselves


Operations to add, delete access rights.
Special access rights:




owner of Oi- - can change any access right for object in any
domain
copy access right from Oi to Oj
control – Di can modify Djs access rights
transfer – switch from domain Di to Dj
Access Control Matrix With
Domains as Objects

Use of domains as objects allows us to
encode in ACM the special operation of
switching between domains
Policy/Mechanism

Access Control Matrix design separates
mechanism from policy.

Mechanism



Operating system defines ACM + rules.
It ensures that the matrix is only manipulated by
authorized agents and that rules are strictly enforced.
Policy


Administrator/User dictates policy.
Who can access what object and in what mode.
Problem with matrix
implementation of ACM

Could use simple matrix, but this leaves a lot
of waste space as most entries are empty (no
access rights to object)
Access Control List (ACL)
implementations of ACM
 Access
Control List (ACL) = for each object
list set of <Domain, Access rights>
 Equivalent to column of ACM without null
entries.
 Defines who can perform what operation on
the object
Domain 1 = Read, Write
Domain 2 = Read
Domain 3 = Read

ACL implementations of
ACM

When process wishes to access some object,
it makes a request to OS and the OS checks
the ACL to see if the domain the process
belongs to has the access rights requested
Capability implementation
of ACM



Capability List = for each Domain list set of
<object, Access rights>
Equivalent to row of ACM without null entries
Capability List defines for each domain, what
operations are allowed on what objects.
Object 1 – Read
Object 4 – Read, Write, Execute
Object 5 – Read, Write, Delete, Copy
Capability implementation
of ACM



Individual capability can be seen as a token
or key that grants/authorises access to an
object in the appropriate mode
When process wishes to access some object
it presents the Capability to OS
Simple possession of capability means
access is permitted
Comparison ACL v.
Capability List


Advantage of ACL is that it is easy to control
access rights to given objects – simple direct
manipulation of ACL associated with object
BUT –


difficult to modify access rights that belong to a
given domain (users) – this would need OS to
search through all ACLs of all objects on system to
find and change access rights for specific domain
Every access request must be checked – involving
search through ACL
Comparison ACL v.
Capability List (Cont.)


Advantage of Capability list – easy to control
access rights of given domains (users) in
system – direct manipulation of capabilities
in Capability list
BUT –


difficult to modify access rights that belong to a
given object – this would need OS to search
through Capability list of all domains (users) in
system to find and change all the capabilities for
a given object
Overhead of creating capability tokens
Combined systems



Most systems use a combination of ACL and
capability based approaches
When a process first references an object, an
ACL is checked.
If successful, a capability is given to the
domain so that the process can use it
thereafter.
Windows approach

Windows uses a variation on the above
combined approach. It uses an ACL
associated with each object with an Access
token which is, however, generated at
logon
Access Control List



Windows objects have a security descriptor
(a default security descriptor is used if one
is not provided)
The security descriptor contains a list of
entries in an Access Control List (ACL)
The entries in the ACL specify whether
members of a given security group can or
cannot carry out given operations on the
object
Access Token


When a user logons to system as part of
the authentication of the user, an Access
token is created by the Security Reference
Monitor
The Access Token specifies the access
permissions, etc. that the user or
applications run by that user have within
the operating system
Access Token (Cont.)



whenever a user attempts to access
anything in the operating system, the
access token is passed to the security
monitor in the NT Executive to check
whether the user has the appropriate
permissions, has gone over quota, etc.
The Access Token contains a Security ID.
The Security ID. contains information about
various security groups that the user
belongs to
Access Token (Cont.)
Object Type
Object Body
Attributes
Services
Access Token
Security ID
Group IDs
Privileges
Default owner
Primary group
Default ACL
Create token
Open token
Query info
Security reference monitor


Security reference monitor provides a
uniform mechanism for ensuring security
throughout the operating system
When a process calls the object manager
to open a handle to an object, the
process stipulates the types of operation
it wants to perform on the object (known
as the desired access rights) e.g. opening
a file object as read only
Security reference
monitor (Cont.)


When a process opens a handle to an
object the object manager calls the security
reference monitor
The security reference monitor checks the
Access Token of the process to determine
the process’ Security ID. i.e. what security
groups it belongs to.
Security reference
monitor (Cont.)



Then it checks the object's Access Control
List to determine whether members of a
given security group can or cannot carry out
the relevant operation requested
If the access required is ok, then the security
reference monitor returns a set of granted
access rights that the process is allowed
These access rights are then stored in the
object handle for the object
Security reference
monitor (Cont.)

Subsequently whenever a process attempts
to use the handle to perform some operation
on an object, the object manager checks the
granted access rights to see if the operation
to be performed is allowed
Unix/Linux protection
(Cont.)
 Example:
-rwxr-xr-x 1 user1 grp1
-rw-r----- 1 user1 grp1

10152 Sep 21 17:04 fs
329 Sep 21 17:04 fs.c
The fs file may be executed by anyone on the
system, but the source file may only be read
by the owner or by people in the group grp1.
Both files may only be modified by the user
user1.
Unix/Linux protection
(Cont.)

Or, specify absolute permissions in octal


4=r, 2=w, 1=x
e.g. 755=rwxr-xr-x, 640=rw-r-----
e.g. chmod 755 filename
References

Operating System Concepts. Chapter 14.