GitHub/quartz
1
0
Fork 2
mirror of https://github.com/jackyzha0/quartz.git synced 2025-12-27 14:54:05 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
a3cec53ee6
quartz/content/notes/24-protection-of-file-systems.md
Jet Hughes 8cd09ad4ce vault backup: 2022-11-01 17:34:36
2022-11-01 17:34:36 +13:00

2.4 KiB
Raw Blame History

title aliases tags
24-protection-of-file-systems
cosc204
lectures

protection model

file system shared by many users

  • users should be able to keep them private

need to define

  • mechanisms
  • policies

types of file access users can have

  • read
    • includes list
  • write
    • includes delete
  • execute
    • if a directory is not executable you cannot get into it (run it)

Access control bits

three classes for each file

  • owner: user who created the file
  • group : set of users who are sharing the file: a group is defined by the systems
  • others: all other in the system

when a file is create it has an owner id and a group id to identify the users of the file

3 permission bits for each class

  • r: readable
  • w: writeable
  • x: executble

advanced file attributes

  • setuid bit: if set for executable file, regardless of who runs the program, it should be run with the priviledge of the owner of the file
  • setgid bit: same as setuid but run with priviledge of group
  • sticky bit: a directory with this bit set restricts the deletionof files within it

soft vs hard link

diagram|400

access control models

Discretionary access control (DAC)

  • a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control).
  • subject centered

Mandatory access control

  • a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity
  • object centred
  • more overhead

Access control list

  • list of permission attahed to an object (file)
  • speifies who or what is allowed to access the objdct and what operation a re allowed to be performed on the object
  • consists of entries like [user, operations] where the operation can be r, w, x, d etc
  • more secure and convenient that discretionary access control
  • can implement DAC and MAC

Role based

  • similar to ACL except RBAC aggregates a grou of users with the same priviledges as roles
  • can implement DAC and MAC
  • policy neutral and defined around roles and priviledges