> Computer and Education > courses > university courses > undergraduate courses > Operating System > ZSTU-(2020-2021)-1 > student homework > 2018329621176_曹欣然 >| 2018329621176_曹欣然_hw11 Version 0 |
|
| 👤 Author: by 439731491qqcom 2021-01-07 12:42:09 | |
The access control model enables you to control the ability of a process to access securable objects or to perform various system administration tasks.There are two basic parts of the access control model:
Access tokens, which contain information about a logged-on user;
Security descr iptors, which contain the security information that protects a securable object;
When a user logs on, the system authenticates the user's account name and password. If the logon is successful, the system creates an access token. Every process executed on behalf of this user will have a copy of this access token. The access token contains security identifiers that identify the user's account and any group accounts to which the user belongs. The token also contains a list of the privileges held by the user or the user's groups. The system uses this token to identify the associated user when a process tries to access a securable object or perform a system administration task that requires privileges.
When a securable object is created, the system assigns it a security descr iptor that contains security information specified by its creator, or default security information if none is specified. Applications can use functions to retrieve and set the security information for an existing object.
A security descr iptor identifies the object's owner and can also contain the following access control lists:
A discretionary access control list (DACL) that identifies the users and groups allowed or denied access to the object
A system access control list (SACL) that controls how the system audits attempts to access the object
An ACL contains a list of access control entries (ACEs). Each ACE specifies a set of access rights and contains a SID that identifies a trustee for whom the rights are allowed, denied, or audited. A trustee can be a user account, group account, or logon session.
Use functions to manipulate the contents of security descr iptors, SIDs, and ACLs rather than accessing them directly. This helps ensure that these structures remain syntactically accurate and prevents future enhancements to the security system from breaking existing code.
Under Linux, the objects that can be operated on a file (or resource) are divided into three categories: file owner (the owner of the file), group (group, which may not be the group of the file owner), other (other) and For each category, read, write and execute (read, write and execute) permissions and special permissions are defined respectively. But these permissions can only be used in combination, if you want to set some different permissions for other user groups or a user in other users, it won't work.
The main purpose of the ACL access control list on LINUX is to provide local permission settings in addition to the traditional owner, group, and others read, write, and execute permissions. ACL can set the permissions of r, w, x for a single user, single file or directory, which is especially suitable for use cases that require special permissions. Simply put, ACL can set the operation permissions of a specific user or user group for a file/directory, which can realize flexible permissions management. In addition to the owner of the file, the group and other people, permissions can be set for more users . Simply put, ACL is to set the operation authority of a specific user or user group for a file/folder.
Since ACL is an additional support item for traditional unix-like operating system permissions, the use of ACL must be supported by the file system. Most current file systems support ACL.
Please login to reply. Login