diff options
| author | mo khan <mo@mokhan.ca> | 2021-05-23 13:57:43 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2021-05-23 13:57:43 -0600 |
| commit | 94357bc2bd7d1bfede26ef827025406278cca157 (patch) | |
| tree | 823c81215fb4bed30a00340a52964412ca6df883 | |
| parent | f6a5874daf238f079cc78efc0047e616c487e4b3 (diff) | |
add notes on chatper 14
| -rw-r--r-- | doc/14.md | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/doc/14.md b/doc/14.md new file mode 100644 index 0000000..6177291 --- /dev/null +++ b/doc/14.md @@ -0,0 +1,29 @@ +# Protection + +Protection refers to controlling the access of programs, processes or users +to the resources defined by a computer system. + +Principle of least privilege: dictates that programs, users, and even systems +be given just enough privileges to perform their tasks. + +Need to know principle: a process should be able to access only those resources +that it currently requires to complete its task. + +A process operates within a `protection domain`, which specifies which resoures +the process may access. +The ability to execute an operation on an object is an `access right`. + +In UNIX a domain is associated with the user. +An owner identification and domain bit (setuid bit) are associated with each file. +When the `setuid` bit is on and a user executes the file the user id is set to that +of the owner of the file. When the bit is off the user id does not change. + +## Summary + +Computer contain many objects (memory, CPU, I/O devices, files, programs, semaphores) +and they need to be protected from abuse. +An access right is permission to perform an operation on an object. +A domain is a set of access rights. +Processes execute in domains and may use any of the access rights in the domain. +A process may be bound to a specific domain or allowed to switch from one domain +to another. |