3. Describe the working process of the UNIX model
UNIX - Access Control
UNIX uses an access control list. A user enters UNIX and has the right to begin the process that made the request. A "bigger" process than a subject, many domains may be related to one process. Every process has an identity (uid). This password is obtained from files that store user passwords: / etc / passwd. The entry in / etc / passwd might look like:
Each process inherits the liquid where the user starts the process. Each process also has effective fluids, as well as numbers, which may be different from liquids.
Finally, each UNIX process is a member of several groups. In native UNIX each user is a member of one group. Currently, users can become members of more than one group. Group information can be obtained from / etc / passwd or from / etc / groups files. The system administrator controls the last file. Entries in / etc / groups might look like:
When a process is created, what is associated with it is a list of all the groups in it.
Remember that groups are a way to shorten access control lists. They are useful in other ways too.
All of the above implements an authentication form, knowing the identity of the subject running the command. Objects in UNIX are files. UNIX tries to make everything look like a file. (For example, one can think of "writing" to a process that is equivalent to sending a message, etc.) Therefore, we will only worry about files, recognizing that almost every resource can be thrown as a file.
Nine of the 12 bit modes are used to encode access rights. This access bit can be considered as a protection matrix entry. They are divided into three groups consisting of three:
The first triplet (u) is for the user, the second (g) for the group and the third (o) for the other person. If certain bits are active, then the process set called has the appropriate access rights (r: read, w: write, x: execute).
But there are some subtleties. To access files, it is necessary to say the name of the object. Names are always relative to several directories, for example: ~ fbs / text / cs513 / www / L07.html. Directories are just the files themselves, but in the case of directories:
The "r" (read) bit controls the ability to read a list of files in a directory. If "r" is set, you can use "ls" to view the directory.
The "x" (search) bit controls the ability to use that directory to create a valid path name. If the "x" bit is set, you can see the file contained in the directory.
So, for example, the 'x' bit allows users to create directories by considering the current working directory and need to be active to read files in the current working directory. So files can be created that cannot be accessed by turning off the 'x' bit for the directory where the file is located.
Does 'x' without access 'r' make sense? Yes! This is a directory whose file name cannot be learned, but which files can be accessed if you know their names. This is actually useful.
Does 'r' without access 'x' make sense? This is a directory whose file names can be learned, but files that cannot be accessed. This is not very useful.
How are these access bits set? On UNIX there are a number of rules for determining how bits are set at first and how they can be changed. We will discuss how to change it. There is the 'chmod' command which changes the mode bit. What objects can be accessed by chmod? Only uid is the file owner who can run chmod for that file (except for root, of course). There is also a command to change the owner of the file, but it has been deleted from a newer system.
What about the last three of the 12 bit modes? The mechanisms discussed so far do not support domain changes. There is one domain, user ID, and once the process is running it is (in the abstract) in the protection matrix row. Imagine a situation where we want files to only be seen in certain programs. This is not possible in the current framework. But, additional bit modes allow this. We will only mention two of three bits. They are: suid (set user id) and sgid (set group id). Files with active suid bits do not run with uid from the process of making calls, but with effective uid which is the owner of the file. This allows us to change from executing as one subject to executing as another subject. The SGID bit works on the same principle, but for groups.
This additional bit mode is used when there are programs that access many objects but in a controlled way (for example, root rights). It is very useful to have a setuid program for users, and thus do less damage than users who run programs with full root rights. We don't have ideas about templates, as we discussed earlier, so this UNIX mechanism is not strong enough. We are not aware of the lowest principle of privilege.
There are UNIX that use the idea of an additional access control list, and not just the bit mode to handle access control. In this case, each file has the bit mode as we discussed and also the extension of the permission. Expanded permissions provide exceptions in the bit mode as follows:
Specify: for example, "r-- u: harry" means that Harry users only have read access.
Deny: for example "-w-g: acsu" means removing write access from the acsu group.
Permit: for example "u: bill, g: swe" means giving read and write access to the bill if the bill is also a member of the swe group. Commas are conjunctions.
With expanded permissions, users can enter certain groups before being allowed to access files.
4. Give an example of a case study that uses the UNIX model to associate with the security of the computer.
How to set access rights
We can set file permissions with the chmod command. In Chmod there are 2 modes that can be used to configure file permissions, namely by symbolic and numerical methods.
Symbolic Ways:
- First: the reader must decide whether readers regulate access rights for users (u), groups (g), other users (o), or all three (a).
- Second: you can add permission (+), delete (-), or delete previous permissions and add new permissions (=)
- Third: specify the permissions. Do you regulate read (r), write (w), execute (e), or all three permissions.
- Fourth: you only have to give orders for chmod, which access rights will be changed.
Example:
We have a regular file named example file and the file has full access permission for all groups (there is a command 'rwx').
Initial permission file view:
-rwxrwxrwx
1. we delete all current permissions and replace with only read permissions for all groups.
Syntax: $ chmod a = r example file
The display will be: -r-r-r–
2. Next we will give permission to the group (in the middle) to add execute permissions
Syntax: $ chmod g + x file example
The display will be: -r-r-xr
3. Next we will give permission for all groups to add write permission.
Syntax: $ chmod ugo + w example file
The display will be: -rw-rwxrw-
4. Next we will delete the execute permission that is in the group (in the middle) to delete.
Syntax: $ chmod g-x example file
The display will be: -rw-rw-rw
No comments:
Post a Comment