Security is easier to achieve if there is a clear model of what is to be protected and who is allowed to do what
Protection Domains
In order to discuss different protection mechanisms, it is useful to introduce the concept of a domain. A domain is a set of (object, rights) pairs. Each pair specifies an object and some subset of the operations that can be performed on it. Figure 9-4 shows three domains, showing the objects in each domain and the rights (Read, Write, execute) available on each object.
Note that Printer 1 is in two domains at the same time, with the same rights in each. File] is also in two domains, with different rights in each one. In UNIX, the domain of a process is defined by its UID and GID. The matrix for Fig. 9-4 is shown in Fig. 9-5. Given this matrix and the current domain number, the system can tell if an access to a given object in a particular way from a specified domain is allowed
Access Control Lists
Storing a very large, mostly empty, matrix is a waste of disk space, so we use access list In this section we will look at storing it by column; in the next we will study storing it by row. This list is called the Access Control List (or ACL) and is illustrated in Fig. 9-7. Here we see three processes, each belonging to a different domain. A, B, and C, and three files Fl, F2, and F3. For simplicity, we will assume that each domain corresponds to exacdy one user, in this case, users A, B, and C.
The first entry says that any process owned by user A may read and write the file. The second entry says that any process owned by user B may read the file. All other accesses by these users and all accesses by other users are forbidden. Note that the rights are granted by user, not by process. and so on with other files..
In some systems, each process has a user ID (UID) and group ID (GID). In such systems, an ACL entry contains entries of the form
UID1, GID1: rights1 ; UID2, GID2: rights2; ...
when a request is made to access an object, a check is made using the caller's UID and GID. If they are present in the ACL, the rights listed are available. If not in the list, the access is not permitted. It sometimes occurs that a user or a group has certain permissions with respect to a file that the file owner later wishes to revoke. With access control lists, it is easy to revoke a previously granted access.
However, if the ACL is checked only when a file is opened, most likely the change will only take effect on future calls to open. Any file that is already open will continue to have the rights it had when it was opened, even if the user is no longer authorized to access the file.