Ok Ntfs

707 Words3 Pages
Access control Basic concepts Access control • What can you do after authentication? • ”The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner”
 (ITU-T Recommendation X.800) AC concepts reference makes monitor request user or represented 
 subject by ”principal” process, method, 
 code… Authorization decision read, write, delete, create… object file, memory, device, process, method, code… protected 
 entity is granted access (or not) active entity Auth… what? • Authentication: who made the request? • Authorization: is the subject authorized/ trusted to perform the operation? • Basic: observe, alter – very abstract, good for modeling…show more content…
Capabilities bjorn eva lila4711 rast1337 assignment.txt read, write read read solution.txt read, write read grades.xls read, write read, write - Where is each used? (Examples, OS, computer architecture?) Why? (Advantages, disadvantages?) ACLs vs. Capabilities File protection, authentication data • Good for owned objects: can review rights by inspecting objects rights of a subject each reference • Good: Delegation possible MMU, page table, 
 open file descriptors, 
 certificates • Hard to e.g. revoke all • Expensive to check at • Hard to see who has with delegation what access to an object • Harder to revoke, esp. Combining ACL/CL • Checking file ACL for each read/write operation is too expensive (why?) • Typical solution: f = open(”file.txt”,O_RDWR); ‣ check ACL when file is opened, return file descriptor which contains rights allowed at opening = capability ‣ check capability at read/write operations Any problems possible? fail = write(f, buffer, size); TOCTTOU! But who sets access rights? • Define an owner of each object • Let owner set access rights for objects at his/her discretion Discretionary AC (DAC) • Like standard file protection Any problems possible? Mandatory AC (MAC) • System-wide access control policy decides • Avoids mistakes (or centralizes them) Combining MAC and DAC: which takes precedence? Bases for access control • Identity-based

More about Ok Ntfs

Open Document