Essay on Ok Ntfs

681 Words Mar 15th, 2015 3 Pages
Access control
Basic concepts

Access control
• What can you do after authentication? • ”The prevention of unauthorized use of a

resource, including the prevention of use of a resource in an unauthorized manner”
 (ITU-T Recommendation X.800)

AC concepts reference makes monitor request user or represented 
 subject by ”principal” process, method, 
 code…

Authorization decision

read, write, delete, create…

object file, memory, device, process, method, code… protected 
 entity

is granted access (or not)

active entity

Auth… what?
• Authentication: who made the request? • Authorization: is the subject authorized/ trusted to perform the operation?

• Basic: observe, alter – very abstract, good for modeling
…show more content…
Capabilities bjorn eva lila4711 rast1337 assignment.txt read, write read read solution.txt read, write read grades.xls read, write read, write -

Where is each used? (Examples, OS, computer architecture?) Why? (Advantages, disadvantages?)

ACLs vs. Capabilities
File protection, authentication data

• Good for owned objects: can review rights by inspecting objects rights of a subject each reference

• Good: Delegation possible MMU, page table, 
 open file descriptors, 
 certificates

• Hard to e.g. revoke all • Expensive to check at

• Hard to see who has with delegation

what access to an object

• Harder to revoke, esp.

Combining ACL/CL
• Checking file ACL for each read/write operation is too expensive (why?)

• Typical solution:

f = open(”file.txt”,O_RDWR);

‣ check ACL when file is opened, return file descriptor which contains rights allowed at opening = capability ‣ check capability at read/write operations
Any problems possible? fail = write(f, buffer, size);

TOCTTOU!

But who sets access rights?

• Define an owner of each object • Let owner set access rights for objects at his/her discretion

Discretionary AC (DAC)

• Like standard file protection
Any problems possible?

Mandatory AC (MAC)
• System-wide access control policy decides • Avoids mistakes (or centralizes

Related Documents