Owlcom software
basadOwlCom  Software
Let's Owl manage your files
Welcome Screenshots Buy now Download Write to Owl Subscribe to news FAQ Links
Controlling access to files Access to files as a special case of access to shared resources The files are private, although the most popular form of shared resources, access to which the operating system must control. There are other kinds of resources that users online sharing. First is the variety of external devices: printers, modems, plotters, etc. The area of memory used for data exchange between processes is also an example of a shared resource. But trials in some cases serve that role, for example, when users of OS send signals, which must respond. In all these cases, a common pattern: people are trying to comply with the shared resource of certain operations, and OS must decide whether users of this right. Users are subjects of access, and shared resources-sites. The user has access to the operating system directly, but through the application of processes that run on its behalf. For each type of a set of operations that they can perform. For example, to file this operation read and write, delete, execute; Printer re-cleaning queue documents, the suspension of the press, etc. OS access control system should provide a means to specify the rights of users to the sites diversified operations, for example, a user may be permitted to read and operation of the file and delete operations - is prohibited. Many operating systems implemented mechanisms, which enable the access to the sites of various types with one voice. Thus, the presentation of I / O devices in a special file in the UNIX operating system is an example of such an approach: in this case, with access to devices used by the same attributes and algorithms that of a normal access to files and directories. Even more advanced in this area Windows NT. It uses a unified structure-security facility, which is not only for files and external devices, but also for any shared resources: Sections memory primitives synchronize Mutexes and semaphore type, etc. This allows you to use Windows NT for access control the resources of any kind of common kernel module-safety manager. As players can access as individual users or groups of users. Definition of individual access rights for each user allows the greatest flexibility to set spending policies shared resources in the computer system. However, this method leads to a large system administrator excessive loading routine work on repeating the same operations for users with the same rights. Combining such users in the group and give access to the group as a whole is one of the main methods of administration of large systems. Each object access is the owner. The owner can be otdelnyy- 'user or group of users. The owner has the right to object to every possible facility for the transaction. Many operating systems have a particular user (superuser, root, administrator), which is all right with respect to any of the system, not necessarily their own. Under this name is the system administrator who needs full access to all files and devices for access control policies. There are two basic approaches to the definition of access rights. Selective access is a place where every object the owner can determine the allowable transactions with objects. This approach is also called the arbitrary (from the discretionary - granted at their own discretion) access, as well as allows the administrator and owners of the right to determine arbitrarily, in their desire. Between users and groups of users access to the electoral system is rigid hierarchical relationships, ie relationships, which are defined by default and can not be changed. An exception is made only for the administrator, by default nadelyaemogo all rights. Mandatny access (from the mandatory-binding, forced) is an approach to determining access rights, in which the system gives the user certain rights with respect to each shared resource (in this case file) according to which group a user assigned. On behalf of a system administrator, and the owners are deprived of the possibility to control access to them at their discretion. All users of such a system, a strict hierarchy, with each group enjoys all the rights of groups of lower-level hierarchy, which added to the right level. Members of a group are not allowed to provide the right team members at lower levels of hierarchy. Mandate way to access similar to the scheme used to access secret papers: the user can log in to one of the groups that are the right of access to classified documents with the secrecy, such as "for official use", "secret", "secret" and " State secrets ". This user group "secret" may work with the documents "secret" and "for official use", as they are allowed access to lower in the hierarchy of groups. However, we are not managed access, the opportunity is just a special official institutions. Mandated access systems are considered more reliable, but less flexible, usually used in specialized computer systems with higher security requirements information. In the universal system used typically polling access methods, which will be discussed below. To be certain, will continue to consider mechanisms to control access to such facilities as files and directories, but it must be understood that the same tools could be used in modern operating systems to control access to any type and contrast are only set of operations specific to one or a class of objects. Access Control Mechanism Each person and each group of users tend to have a symbolic name, as well as a unique numeric identifier. In carrying out procedures logical login user submits its symbolic name and password, and the operating system determines the appropriate numerical identifiers and user groups to which he belongs. All identifying information, including names and identifiers of users and groups of users passwords, as well as information on the incorporation of user groups stored in a file (/ etc / passwd in UNIX) or a special database (Windows NT). Logging system generates protsess- sheath, which supports dialogue with the user and starts for him other processes. Protsess- envelope is symbolic of a user name and password and is on numerical identifiers and user groups. These identifiers associated with each process running casing for the user. They say that on behalf of the user data and user groups. In the most typical case caused any process inherits user IDs and groups from the parent. Determine the right of access to a resource is to identify each user a set of transactions that allowed him to apply to this resource. Different operating systems for the same types of resources can be determined his list differentiated access operations. To file of the list may include the following operations: Creating a file; The destruction of the file; Open a file; closure of the file; read from the file; write to the file; Further file; The search for a file; Obtaining file attributes; The installation of new attribute values; Rename; To file; reading catalogue; The change in ownership; change access rights. Set operations OS file may consist of a large number of elementary operations, and may include a few larger operations. The above list is an example of the first approach, which allows very fine control access rights of users, but also creates a significant burden on the administrator. Example broad approach demonstrated UNIX family of operating systems, in which there are only three operations files and directories: read (read, d), write (write, w) and run (execute, x). Although UNIX is used for the operations of all three titles, in fact, it corresponds more operations. For example, the operation to depend on what object it is applied. If execute file intuitive, the operation is interpreted as a directory to search a directory listing. So UNIX administrator, in fact, has a large list of operations than it appears at first glance. In Windows NT developers have used the flexibility they have implemented to work with operations to the files on two levels: the default administrator working on the broad level (level of standard operations), and, if desired, can go to the elementary level (the level of individual transactions). In the most general case of access rights can be described matrix access, in which the columns are all system files, line-users, and at the intersection of rows and columns are permitted operation (Figure 7.28). Almost all operating systems matrix access stored "in part", that is, for each file or directory is called access control list (Access Control List, ACL), which describes the right to carry out operations of users and user groups from the same the file or directory. List management access is part of a file or directory and stored on the disk in the field, such as index descriptor inode ufs file system. He supports all file system access control lists, for example, it does not support the FAT file system as it was designed for single odnoprogrammnoy MS-DOS operating system for which the task of protection against unauthorized access is not valid. Generally a list of access control can be provided as a set of user IDs and user groups, which indicates identifier for each set of allowed operations of the object (figure 7.29). It is said that ACL is a list of the elements of access control (Access Control Element, ASE), with each element corresponds to one identifier. ACL added to the list to the ID holder called in security features.
Welcome    Screenshots    Download    Buy now Write to Owl    Subscribe to Owl news   FAQ   Links  
Copyright © 2004-2011 OwlCom Software .

Owl Commander

OISV - Organization of Independent Software Vendors - Contributing Member Software Submit .NET - FREE and PREMIUM search engines submission and software submission and software promotion service. Owl Commander

Valid HTML 4.01 Transitional