Page 60 - DCAP516_COMPUTER_SECURITY
P. 60
Computer Security
Notes Support Groups
In its classic form, ACLs do not support groups or wildcards. In practice systems support one or
the other or both to limit the size of the ACL and to make manipulation of the lists easier. A
group can either refine the characteristics of the processes to be allowed access or be a synonym
for a set of users, the members of the group.
Conflicts
A conflict arises when two access control lists entries in the same ACL give different permissions
to the subject. The system can allow access if any entry would give access, deny access if any
entry would deny access, or apply the first entry that matches the subject.
Default Permissions
When ACLs and abbreviations of access control lists or default access rights coexist as on many
UNIX systems, there are two ways to determine access rights. The first is to apply the appropriate
ACL entry, if one exists, and to apply the default permissions or abbreviations of access control
lists otherwise. The second way is to augment the default permissions or abbreviations of access
control lists with those in the appropriate ACL entry.
Task What are Privileged Users? Give two examples of Privileged users in a Unix system
and Windows system.
5.6 Revocation of Rights
Revocation or the prevention of a subject’s accessing an object requires that the subject’s rights
be deleted from the object’s ACL. Preventing a subject from accessing an object is simple. The
entry for the subject is deleted from the object’s ACL. If only specific rights are to be deleted,
they are removed from the relevant subject’s entry in the ACL. If ownership does not control the
giving of rights, revocation is more complex.
5.7 Ring based Access Control
Ring Based Access Control was introduced by Multics (1964-2000). To understand the working of
ring based access control, one must keep in mind that files and memory are treated the same
with regards to protection. For example, a procedure (or function) may occupy some space on
the disk referred as segment. When invoked the segment is mapped into the memory and
executed. Similarly data occupies other segment on the disk and when accessed, they are mapped
into the memory and executed. Therefore, there exists no difference between segment on the
disk and segment on the memory.
Did u know? Segments are of two types: Data and Procedure. A segment can have read( r),
write (w), execute (e) and append (a) rights associated with it. These rights are combined
in access control list which constrain access on a per user basis.
In addition, the Multics systems defines a sequence of protection rings numbered from 0 to 63.
The kernel resides in ring 0. The rule suggests that higher the ring number, the lower will be the
54 LOVELY PROFESSIONAL UNIVERSITY
