# Protection

Protection refers to controlling the access of programs, processes or users
to the resources defined by a computer system.

Principle of least privilege: dictates that programs, users, and even systems
be given just enough privileges to perform their tasks.

Need to know principle: a process should be able to access only those resources
that it currently requires to complete its task.

A process operates within a `protection domain`, which specifies which resoures
the process may access.
The ability to execute an operation on an object is an `access right`.

In UNIX a domain is associated with the user.
An owner identification and domain bit (setuid bit) are associated with each file.
When the `setuid` bit is on and a user executes the file the user id is set to that
of the owner of the file. When the bit is off the user id does not change.

## Summary

Computer contain many objects (memory, CPU, I/O devices, files, programs, semaphores)
and they need to be protected from abuse.
An access right is permission to perform an operation on an object.
A domain is a set of access rights.
Processes execute in domains and may use any of the access rights in the domain.
A process may be bound to a specific domain or allowed to switch from one domain
to another.