blob: 6177291cdca27fac4345b3de519879c0f543f374 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# Protection
Protection refers to controlling the access of programs, processes or users
to the resources defined by a computer system.
Principle of least privilege: dictates that programs, users, and even systems
be given just enough privileges to perform their tasks.
Need to know principle: a process should be able to access only those resources
that it currently requires to complete its task.
A process operates within a `protection domain`, which specifies which resoures
the process may access.
The ability to execute an operation on an object is an `access right`.
In UNIX a domain is associated with the user.
An owner identification and domain bit (setuid bit) are associated with each file.
When the `setuid` bit is on and a user executes the file the user id is set to that
of the owner of the file. When the bit is off the user id does not change.
## Summary
Computer contain many objects (memory, CPU, I/O devices, files, programs, semaphores)
and they need to be protected from abuse.
An access right is permission to perform an operation on an object.
A domain is a set of access rights.
Processes execute in domains and may use any of the access rights in the domain.
A process may be bound to a specific domain or allowed to switch from one domain
to another.
|
