1 / 17

Chapter 14: Protection

Chapter 14: Protection. Protection. Operating system consists of a collection of objects: Hardware: CPU, memory segments, disks, printers, … Software: files, semaphores, … Each object has a name and can be accessed through a set of operations Protection problem

mildredr
Download Presentation

Chapter 14: Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 14: Protection

  2. Protection • Operating system consists of a collection of objects: • Hardware: CPU, memory segments, disks, printers, … • Software: files, semaphores, … • Each object has a name and can be accessed through a set of operations • Protection problem • Ensure that each object is accessed correctly and only by those processes that are allowed to do so

  3. Principles of Protection • Principle of Least Privilege • Programs, users and systems should be given just enough privileges to perform their tasks

  4. Domain Structure • A process operates within a protection domain • Domain = set of access rights • Access right = <object-name, rights-set> • rights-set is a subset of all valid operations that can be performed on the object • Processes can be allowed to switch from one domain to another to access objects or perform needed operations

  5. Domains in UNIX • A domain is associated with each user • Domain = user-id • The set of objects that can be accessed depends on user-id • Switch domain = login as a different user

  6. Access Matrix • View protection as a matrix (access matrix) • Rows represent domains; columns represent objects • Entry (i, j): define the set of operations that a process executing in domain i can invoke on object j

  7. Access Matrix: Domain Switching • Processes should be able to switch from one domain to another • A process can switch domains if it has a switch right on these domains • Consider domains as objects, and add them to access matrix

  8. Access Matrix: Dynamic Protection • Need to be able to change entries of the access matrix dynamically • i.e., need to add, remove, copy access rights • To support these operations, special access rights are defined: • copy of access right R on object Oi: • can copy (propagate) the access right R within the same column (denoted as R*) • owner of object Oi : • can add/remove access rights to Oi (change column j) • control of domain Di: • can add/remove access rights to domainDi (change row j)

  9. Access Matrix with Copy Rights

  10. Access Matrix With Owner Rights

  11. Access Matrix with Control Rights A process running in D2 can change (control) the row of D4

  12. Access Matrix: Policy vs. Mechanism • Access matrix design separates mechanism from policy • Mechanism • Operating system provides access matrix + rules • It ensures that the matrix is only manipulated by authorized users and that rules are strictly enforced • Policy • User dictates policy: • Who can access what object and in what mode

  13. Implementation of Access Matrix • Global Table • The matrix is large and sparse  Large overhead • Access Control List (ACL) • Each column (i.e., object) has a list of domains that can access it and what type of access • Example: an ACL of an object may look like <D1, {Read, Write}>, <D2, {Read}>, <D5, {Read, Execute}> • Capability List • Each row (i.e., domain) has a list of objects and what operations are allowed on them • Example: a Capability List of a domain may look like <O1, {Read}>, <O4, {Read, Write, Execute}>

  14. Protection in UNIX • ACL can be long and time consuming to search • To condense ACLs and accelerate access, UNIX defines three classes • Owner: creator of the file • Group: users sharing the file; they need similar access (work group) • Universe: all others • 9 bits are used for each file to provide this (coarse-grained) protection • rwxrwxrwx filename • Example: • 111101 001 filename • chmod 775 filename • Protection bits have slightly different meaning on directories • r: can list files, x: can open files • (you could open a file even if you do not have r on the directory, you need to know the name though)

  15. Protection in UNIX (cont’d) • Can we achieve the following with the standard 9-protection bits? • Allow owner rwx on file1 • Allow his group (students) r-x on file1 • Allow specific user(s), not in students group, r-- on file1 • All others should have no access (---) on file1 • NO. Solutions? • Some systems (e.g., Solaris, Linux) • Implement Protection bits by defaults for all files, and • Create ACL on demand for fine-grained access control • For the above, we create an ACL on file1 and add the specific users to it • On UNIX: command setfacl (set file access control list) does that • Check out: man setfacl and man acl

  16. Protection in UNIX: Setuid bit • Recall that a domain is associated with each user • Sometimes, we need a user in one domain to execute a command that is allowed only in another domain • Example: passed command (to change password) • passwd needs to write to /etc/passwd file; only root can write to this file • UNIX Solution: (Temporary) domain switching • Each file has a setuid bit associated with it • When file is executed and setuid = 1, then user-id is set to owner of the file being executed • When execution completes user-id is reset • Example: setuid bit of the passwd command is set (by the root) • ls -l /usr/bin/passwd • -rwsr-xr-x 1 root shadow 79520 2005-09-09 13:56 /usr/bin/passwd • (Use chmod 4755 filename to set the setuid bit)

  17. Summary • Protection: allow only authorized access to resources • Principle of Least Privilege: grant the minimum needed privileges to perform a task • Access matrix • Domains and objects • Access rights • Implementation: Access Control List, Capability List • Unix Protection • Protection bits • Optional ACLs • setuid

More Related