本文是我在上UCSD的 CSE 120: Principles of Operating Systems (Winter 2020) 整理的笔记,这一课主要介绍了操作系统里面对文件和进程资源的保护方法,包括用户权限和用户组管理。
Basics
Introduction
- Process access resources
Resources are shared, need to be protected
- from process without permission
- from improper access by a process
What is the right protection model?
- What are the mechanism?
The kernel enforces protection
- To pretect resources, have kernel “own” them, then kernel can allow access temporairily
- To access a resource, a process must ask for it, then kernel can test whether access should be given
One a process is given access
- kernel can prevent others for gaining access
- kernel may/may not be able to take away access
This assumes kernel operates correctly
Protecting the kernel
- The kernel itself must be protected
Mechanism
- Memory protecion
- Protected mode of operation: kernel vs. user
- Clock interrupt, so kernel eventually gets control
Notice, mechanisms are hardware supported
- Protected kernel can protect other resources
Goals supported by kernel
- Allow range of permissions
- Allow user to set/get them
- Be fast/simple for common use
- Support user expressing complex permissions
Implementation
Simple model
A formal model of protection
- Protection: how to limit access to a resource
- Resource: object that requires protection
- Domain: set of (resource, permission) pairs
- Process: accesses resources within domain
Protection Matrix
Example: (X, Y: Resources A,B: Domains)
| | X | Y | A | B |
|—-|—- | —- |—-|—-|
| A | r,w | r,w | | |
| B | w | r | | |Can describe all domains as a matrix
- Rows are domains
- Columns are resources
- Matrix entry [d, r] contains permissions/rights
Access Control Lists (For resource)
- For each resource, list (domain, permissions) pairs
- ACL is associated with resource
- Like a registry: if name is on list, ok to access
- Can be inefficient: must lookup on each access
- Revocation is easy; just remove from list
Capability Lists (For domain)
- For each domain, list (resource, permissions pairs)
- Capability list associated with each domain
- Like key/ticker: if you have it, you get access
- Efficient: on access, just produce capability
- Hard to revoke
UNIX Protecion
Basic
Associated with each file is set of permissions
- Permission bits r/w/x for owner, group, world
- Limited form of access control list
Protection domain: UID (user account ID) + …
- A process is always in some domain
When process opens file, check permission
If ok, provide process with a capability
- Future operations then carried out efficiently
More
- For common case, r/w/x for o/g/w adequate
- For special cases, can extend via user program
- SETUID mechanism: causes domain switch
If executable file has SETUID bit set
- Process runs in domain of owner (of executable)
- Therefor, it runs with all the rights of the owner
Example
- Pat has a file “Bil” of bibliography references
- Chris wants to read and add entries
- But, Chris lacks permissions (only Pat can r/w)
- Pat wisher to allow append access (only add entris to the back), but how?
Solution:
- Pat can provide program (e.g., EditBib): only reads/appends
Set permissions
- of program: execute (for Chris), and SETUID on
- of Bib file: read/write only for Pat, not Chris
When Chris executes EditBib, runs as Pat (since SETUID on, domain switch to Pat’s domain)
- Program only does read/append.