File Protection Mechanisms
Until now, we have examined
approaches to protecting a general object, no matter the object's nature or
type. But some protection schemes are particular to the type. To see how they
work, we focus in this section on file protection. The examples we present are
only representative; they do not cover all possible means of file protection on
the market.
Basic Forms of Protection
We noted earlier that all
multiuser operating systems must provide some minimal protection to keep one
user from maliciously or inadvertently accessing or modifying the files of
another. As the number of users has grown, so also has the complexity of these
protection schemes.
AllNone Protection
In the original IBM OS
operating systems, files were by default public. Any user could read, modify,
or delete a file belonging to any other user. Instead of software- or
hardware-based protection, the principal protection involved trust combined
with ignorance. System designers supposed that users could be trusted not to
read or modify others' files because the users would expect the same respect
from others. Ignorance helped this situation, because a user could access a
file only by name; presumably users knew the names only of those files to which
they had legitimate access.
However, it was acknowledged
that certain system files were sensitive and that the system administrator
could protect them with a password. A normal user could exercise this feature,
but passwords were viewed as most valuable for protecting operating system
files. Two philosophies guided password use. Sometimes, passwords controlled
all accesses (read, write, or delete), giving the system administrator complete
control over all files. But at other times passwords controled only write and
delete accesses because only these two actions affected other users. In either
case, the password mechanism required a system operator's intervention each
time access to the file began.
However, this all-or-none
protection is unacceptable for several reasons.
Lack of trust. The assumption
of trustworthy users is not necessarily justified. For systems with few users
who all know each other, mutual respect might suffice; but in large systems
where not every user knows every other user, there is no basis for trust.
Too coarse. Even if a user
identifies a set of trustworthy users, there is no convenient way to allow
access only to them.
Rise of sharing. This
protection scheme is more appropriate for a batch environment, in which users
have little chance to interact with other users and in which users do their
thinking and exploring when not interacting with the system. However, on
shared-use systems, users interact with other users and programs representing
other classes of users.
Complexity. Because (human)
operator intervention is required for this file protection, operating system
performance is degraded. For this reason, this type of file protection is
discouraged by computing centers for all but the most sensitive data sets.
File listings. For accounting
purposes and to help users remember for what files they are responsible,
various system utilities can produce a list of all files. Thus, users are not
necessarily ignorant of what files reside on the system. Interactive users may
try to browse through any unprotected files.
Group Protection
Because the all-or-nothing
approach has so many drawbacks, researchers sought an improved way to protect
files. They focused on identifying groups of users who had some common
relationship. In a typical Unix+ implementation, the world is divided into
three classes: the user, a trusted working group associated with the user, and
the rest of the users. For simplicity we can call these classes user, group,
and world. Windows NT+ uses groups such as Administrators, Power Users, Users,
and Guests. (NT+ administrators can also create other groups.)
All authorized users are
separated into groups. A group may consist of several members working on a
common project, a department, a class, or a single user. The basis for group
membership is need to share. The group members have some common interest and
therefore are assumed to have files to share with the other group members. In
this approach, no user belongs to more than one group. (Otherwise, a member
belonging to groups A and B could pass along an A file to another B group
member.)
When creating a file, a user
defines access rights to the file for the user, for other members of the same
group, and for all other users in general. Typically, the choices for access
rights are a limited set, such as {update, readexecute, read,
writecreatedelete}. For a particular file, a user might declare read-only
access to the general world, read and update access to the group, and all rights
to the user. This approach would be suitable for a paper being developed by a
group, whereby the different members of the group might modify sections being
written within the group. The paper itself should be available for people
outside the group to review but not change.
A key advantage of the group
protection approach is its ease of implementation. A user is recognized by two
identifiers (usually numbers): a user ID and a group ID. These identifiers are
stored in the file directory entry for each file and are obtained by the
operating system when a user logs in. Therefore, the operating system can
easily check whether a proposed access to a file is requested from someone
whose group ID matches the group ID for the file to be accessed.
Although this protection
scheme overcomes some of the shortcomings of the all-or-nothing scheme, it
introduces some new difficulties of its own.
Group affiliation. A single user cannot belong
to two groups. Suppose Tom belongs to one group with Ann and to a second group
with Bill. If Tom indicates that a file is to be readable by the group, to
which group(s) does this permission refer? Suppose a file of Ann's is readable
by the group; does Bill have access to it? These ambiguities are most simply
resolved by declaring that every user belongs to exactly one group. (This
restriction does not mean that all users belong to the same group.)
Multiple personalities. To
overcome the one-person one-group restriction, certain people might obtain
multiple accounts, permitting them, in effect, to be multiple users. This hole
in the protection approach leads to new problems because a single person can be
only one user at a time. To see how problems arise, suppose Tom obtains two
accounts, thereby becoming Tom1 in a group with Ann and Tom2 in a group with
Bill. Tom1 is not in the same group as Tom2, so any files, programs, or aids
developed under the Tom1 account can be available to Tom2 only if they are
available to the entire world. Multiple personalities lead to a proliferation of
accounts, redundant files, limited protection for files of general interest,
and inconvenience to users.
All groups. To avoid multiple
personalities, the system administrator may decide that Tom should have access
to all his files any time he is active. This solution puts the responsibility
on Tom to control with whom he shares what things. For example, he may be in
Group1 with Ann and Group2 with Bill. He creates a Group1 file to share with
Ann. But if he is active in Group2 the next time he is logged in, he still sees
the Group1 file and may not realize that it is not accessible to Bill, too.
Limited sharing. Files can be
shared only within groups or with the world. Users want to be able to identify
sharing partners for a file on a per-file basis; for example, sharing one file
with ten people and another file with twenty others.
Individual Permissions
In spite of their drawbacks,
the file protection schemes we have described are relatively simple and
straightforward. The simplicity of implementing them suggests other
easy-to-manage methods that provide finer degrees of security while associating
permission with a single file.
Persistent Permission
From other contexts you are
familiar with persistent permissions
. The usual implementation of such a scheme uses a name (you claim a dinner
reservation under the name of Sanders), a token (you show your driver's license
or library card), or a secret (you say a secret word or give the club
handshake). Similarly, in computing you are allowed access by being on the
access list, presenting a token or ticket, or giving a password. User access
permissions can be required for any access or only for modifications (write
access).
All these approaches present
obvious difficulties in revocation: Taking someone off one list is easy, but it
is more complicated to find all lists authorizing someone and remove him or
her. Reclaiming a token or password is even more challenging.
Temporary Acquired Permission
Unix+ operating systems
provide an interesting permission scheme based on a three-level usergroupworld
hierarchy. The Unix designers added a permission called set userid (suid). If this protection is set for a file to be
executed, the protection level is that of the file's owner, not the executor.
To see how it works, suppose Tom owns a file and allows Ann to execute it with
suid. When Ann executes the file, she has the protection rights of Tom, not of
herself.
This peculiar-sounding
permission has a useful application. It permits a user to establish data files
to which access is allowed only through specified procedures.
For example, suppose you want
to establish a computerized dating service that manipulates a database of
people available on particular nights. Sue might be interested in a date for
Saturday, but she might have already refused a request from Jeff, saying she
had other plans. Sue instructs the service not to reveal to Jeff that she is
available. To use the service, Sue, Jeff, and others must be able to read the
file and write to it (at least indirectly) to determine who is available or to
post their availability. But if Jeff can read the file directly, he would find
that Sue has lied. Therefore, your dating service must force Sue and Jeff (and
all others) to access this file only through an access program that would
screen the data Jeff obtains. But if the file access is limited to read and
write by you as its owner, Sue and Jeff will never be able to enter data into
it.
The solution is the Unix SUID
protection. You create the database file, giving only you access permission.
You also write the program that is to access the database, and save it with the
SUID protection. Then, when Jeff executes your program, he temporarily acquires
your access permission, but only during execution of the program. Jeff never
has direct access to the file because your program will do the actual file
access. When Jeff exits from your program, he regains his own access rights and
loses yours. Thus, your program can access the file, but the program must
display to Jeff only the data Jeff is allowed to see.
This mechanism is convenient
for system functions that general users should be able to perform only in a
prescribed way. For example, only the system should be able to modify the file
of users' passwords, but individual users should be able to change their own
passwords any time they wish. With the SUID feature, a password change program
can be owned by the system, which will therefore have full access to the system
password table. The program to change passwords also has SUID protection so
that when a normal user executes it, the program can modify the password file
in a carefully constrained way on behalf of the user.
Per-Object and Per-User
Protection
The primary limitation of these protection
schemes is the ability to create meaningful groups of related users who should
have similar access to related objects. The access control lists or access
control matrices described earlier provide very flexible protection. Their
disadvantage is for the user who wants to allow access to many users and to
many different data sets; such a user must still specify each data set to be
accessed by each user. As a new user is added, that user's special access
rights must be specified by all appropriate users.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2023 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.