Access Control Lists
Introduction -
This report will look at various access control methods used by Operating Systems (OS) to control user access to files on a computer and what they can do once they have gained access. In this first section I will look at methods such as Access Control Lists(ACL’s), Capabilities and Encrypting file systems(EFS) and which Operating Systems use these as well as the advantages and disadvantages they have over each other. The second part of my report will focus on one OS and explain in detail the methods it uses to control file access and how it works.
Section A - Review of File Access Control mechanisms.
Access Control Lists - Access Control Lists are used by OS’s such as Windows and UNIX. An ACL is a table that informs the OS of each users access rights to an object within the system, the object could be a program, a single file or a folder. Although ACL’s do the same task in a similar way, the different OS’s each have a different way of carrying it out. With UNIX systems, including the older ones, at least one user would have access to all areas of the system, the idea of this being so that they control the systems for other users and grant or deny them access to various objects. By doing this, UNIX implies that the administrator should have the most control and other users have fewer privileges to reduce security breaches or damage. UNIX’s method of an ACL is the domain; this consists of pairs of objects and rights. The pair, called a tuple, names the object and what operations can be carried out on it. An object in a domain has up to three rights of access; read, write and execute. An object can be part of a number of domains, if it is, then it can have different rights in each domain that it is a part of. In UNIX, the domain has User and Group ID’s (UID, GID) that defines the protection of that domain. Different combinations of UID and GID’s on different objects allow it to be
This report will look at various access control methods used by Operating Systems (OS) to control user access to files on a computer and what they can do once they have gained access. In this first section I will look at methods such as Access Control Lists(ACL’s), Capabilities and Encrypting file systems(EFS) and which Operating Systems use these as well as the advantages and disadvantages they have over each other. The second part of my report will focus on one OS and explain in detail the methods it uses to control file access and how it works.
Section A - Review of File Access Control mechanisms.
Access Control Lists - Access Control Lists are used by OS’s such as Windows and UNIX. An ACL is a table that informs the OS of each users access rights to an object within the system, the object could be a program, a single file or a folder. Although ACL’s do the same task in a similar way, the different OS’s each have a different way of carrying it out. With UNIX systems, including the older ones, at least one user would have access to all areas of the system, the idea of this being so that they control the systems for other users and grant or deny them access to various objects. By doing this, UNIX implies that the administrator should have the most control and other users have fewer privileges to reduce security breaches or damage. UNIX’s method of an ACL is the domain; this consists of pairs of objects and rights. The pair, called a tuple, names the object and what operations can be carried out on it. An object in a domain has up to three rights of access; read, write and execute. An object can be part of a number of domains, if it is, then it can have different rights in each domain that it is a part of. In UNIX, the domain has User and Group ID’s (UID, GID) that defines the protection of that domain. Different combinations of UID and GID’s on different objects allow it to be
Bibliography: Bezroukov, N. 2008 Access Control, http://www.softpanorama.org/Access_control/index.shtml (Modified March 15 2008), [Accessed 24th March 2008] Bezroukov, N. 2008 Access Control Groups, http://www.softpanorama.org/Access_control/groups_administration.shtml (Modified March 15 2008), [Accessed 24th March 2008] Microsoft: 2008 Access Control Lists, http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/distrib/dsce_ctl_rwti.mspx?mfr=true (2008) [Accessed March 24th 2008] Shapiro, J. 1999 What is a Capability http://www.eros-os.org/essays/capintro.html (1999) http://searchwindowssecurity.techtarget.com/news/article/0,289142,sid45_gci1025646,00.html (15th November 2004) [Accessed 25th March 2008] Gupta, R. 2002. Windows 2000 Security (Networking), Muska & Lipman, 1st Editio