本文是我在上UCSD的 CSE 120: Principles of Operating Systems (Winter 2020) 整理的笔记,这一课主要介绍了操作系统里面对文件和进程资源的保护方法,包括用户权限和用户组管理。
Basics
-
Introduction
-
Process access resources
-
Resources are shared, need to be protected
- from process without permission
- from improper access by a process
-
What is the right protection model?
-
What are the mechanism?
-
-
The kernel enforces protection
-
To pretect resources, have kernel “own” them, then kernel can allow access temporairily
-
To access a resource, a process must ask for it, then kernel can test whether access should be given
-
One a process is given access
- kernel can prevent others for gaining access
- kernel may/may not be able to take away access
-
This assumes kernel operates correctly
-
-
Protecting the kernel
-
The kernel itself must be protected
-
Mechanism
- Memory protecion
- Protected mode of operation: kernel vs. user
- Clock interrupt, so kernel eventually gets control
-
Notice, mechanisms are hardware supported
-
Protected kernel can protect other resources
-
-
Goals supported by kernel
- Allow range of permissions
- Allow user to set/get them
- Be fast/simple for common use
- Support user expressing complex permissions
Implementation
Simple model
-
A formal model of protection
- Protection: how to limit access to a resource
- Resource: object that requires protection
- Domain: set of (resource, permission) pairs
- Process: accesses resources within domain
-
Protection Matrix
-
Example: (X, Y: Resources A,B: Domains)
X Y A B A r,w r,w B w r -
Can describe all domains as a matrix
- Rows are domains
- Columns are resources
- Matrix entry [d, r] contains permissions/rights
-
Access Control Lists (For resource)
- For each resource, list (domain, permissions) pairs
- ACL is associated with resource
- Like a registry: if name is on list, ok to access
- Can be inefficient: must lookup on each access
- Revocation is easy; just remove from list
-
Capability Lists (For domain)
- For each domain, list (resource, permissions pairs)
- Capability list associated with each domain
- Like key/ticker: if you have it, you get access
- Efficient: on access, just produce capability
- Hard to revoke
-
UNIX Protecion
-
Basic
-
Associated with each file is set of permissions
- Permission bits r/w/x for owner, group, world
- Limited form of access control list
-
Protection domain: UID (user account ID) + …
- A process is always in some domain
-
When process opens file, check permission
-
If ok, provide process with a capability
- Future operations then carried out efficiently
-
-
More
-
For common case, r/w/x for o/g/w adequate
-
For special cases, can extend via user program
-
SETUID mechanism: causes domain switch
-
If executable file has SETUID bit set
- Process runs in domain of owner (of executable)
- Therefor, it runs with all the rights of the owner
-
-
Example
-
Pat has a file “Bil” of bibliography references
-
Chris wants to read and add entries
-
But, Chris lacks permissions (only Pat can r/w)
-
Pat wisher to allow append access (only add entris to the back), but how?
-
Solution:
-
Pat can provide program (e.g., EditBib): only reads/appends
-
Set permissions
- of program: execute (for Chris), and SETUID on
- of Bib file: read/write only for Pat, not Chris
-
When Chris executes EditBib, runs as Pat (since SETUID on, domain switch to Pat’s domain)
-
Program only does read/append.
-
-