Owlcom software
basadOwlCom  Software
Let's Owl manage your files
Welcome Screenshots Buy now Download Write to Owl Subscribe to news FAQ Links
Fig. 7.29. Testing access In the example in Figure process, which speaks on behalf of a user ID and Group 3 with ID 14, 52 and 72, trying to complete the list (W) in the file. File owns user with the ID 17. The operating system, received a request for the record, is the characteristics of the security file (on disk or buffer in the system tray) and consistently compares all identifiers id owner of the file and user IDs and groups of ACE. In this example, a model group, which advocates on behalf of the process, namely 52, coincides with the ID part of the ASE. Because you with ID 52 permitted operations reading (sign W is a set of operations that element), the OS allowed to perform the operation. Described summary chart storage of information on the rights of access and inspection procedures are in each operating system, its own characteristics, which are discussed further in the case of operating systems, UNIX and Windows NT. The organization controls access to UNIX OS In UNIX OS access to the file or directory defined for the three subjects: The owner of the file (ID User ID, UID); Members of the group to which the owner (Group ID, GID); all other users of the system. Given that the UNIX identified only three operations on files and directories (read, write, perform), a file security features include nine of specifying able to perform each of the three operations for each of the three entities access. For example, if the owner of a file to allow implementation of all three operations, members of group-reading and performance, but for all other users, but only through, nine of security file as follows: rwx r x r -- Here g, w and x denote operations read and write and perform accordingly. It is in this manner displays information on the rights of access to a team viewing files directory 1 s. All UNIX root access always allowed, so the id (it is set to 0) did not appear in the access control lists. Each of the two connected UNIX ID: user, whose name was created in the process, and the group to which the user belongs. These identifiers are called real user IDs: Real User ID, and real IDs RUID groups: Group Real ID, RGID. However, verification of the file used those IDs, and the so-called effective user ID: Effective User ID, EUID and effective group identifiers: Effective Group ID, EGID (Figure 7.30). Efficient identification process can serve in some cases as a user and group than those dostalis him at birth. In the original state of effective identifiers correspond to reality. When the process is a systemic challenge ehes run stored in a file in UNIX associated with the change of executable code. In the process, the new code is implemented, and if the security features of the file shows signs of a change of user IDs, and the group, the change is effective identification process. The file is a sign of a change of two ID-Set User ID on execution (SUID) and the Group Set ID on execution (SGID), which allow the replacement of user IDs, and the group in the performance of the file. Identifiers effective mechanism allowing users to receive certain types of access, it is clearly not allowed, but only with a very limited set of applications, which are stored in files with the signs of change IDs. An example of such a situation is shown in Fig. 7.31. Initially, the process was efficient and user IDs and groups (12 and 23 respectively), to coincide with the real. At some stage in the process of requesting applications from file b. Ehe. The process can execute file b. ehe, although its effective identifiers do not match with ID owner and group file, as well as an authorized users. File '. Ehe has installed signs of change IDs and SUID SGID, and simultaneously with the change of the code change process and the importance of effective ID (35 and 47). Consequently, in the subsequent attempts to write data to a file f 1. Doc A process is not as effective its new ID group coincides with ID Group f1.doc file. Without change IDs for the operation of A would be banned. The described arrangement has the same objectives as discussed above mechanism subordinate segments Pentium processor. Using the model file as a universal model to a shared resource in UNIX apply the same mechanisms to control access to files, directories, printers, terminals and shared memory segments. Management access UNIX OS was developed in 70 th years and since then little has changed. This is a simple system, in many cases to achieve the objectives of the administrator to prevent unauthorized access, but such a decision sometimes requires too much subterfuge or may not be realized. Organization of access control in Windows NT Overview Access Management System in Windows NT is a high degree of flexibility that is achieved through the wide variety of subjects and objects access, as well as access detailed operations. For shared resources on Windows NT is a common object model, which includes such security features as a set of allowable operations, ID holder, access control list. Objects are created in Windows NT for any resources if they are or are shared files, folders, devices, sections of memory processes. Features of Windows NT are divided into two parts - the general part, which does not depend on the type of facility, and individual defined type facility. All objects are stored in the hierarchical tree structure, elements of which are sized branch (directories) and sized leaves (files). To file system of this pattern of relations is a direct reflection of the hierarchy of directories and files. For the other types of hierarchical scheme has its own content, for example, it reflects the context of "parent" descendant, and for devices reflects belonging to a particular type of device and connection devices with other devices, such as SCSI controllers from disks. Testing access to any type of running centrally through security monitor (Security Reference Monitor), working in a privileged mode. Centralization of access control improves the reliability of information security operating system, compared with a distributed implementation, when the various modules OS has its screening procedures for access and the possibility of programmer error rises. For Windows NT security system characterized by a large number of predefined entities (built) access as individual users or groups. Thus, the system always has such users as Administrator, and Guest System, as well as Users Group, Administrators, Account Operators, Server Operators, and other Everyone. The idea of fixed users and groups is that they have certain rights, facilitating the administrator to create an effective access control system. Adding a new user administrator can only decide which group or groups include the user. Of course, the administrator can create new groups, as well as add to the right team built for its own security policy, but in many cases built groups are quite sufficient. Windows NT supports three classes of access operations, which are the type of players and facilities involved in these operations. Permits (permissions) is the number of transactions that can be defined for all types of entities in relation to objects of any type: files, directories, printers, memory sections, etc. Permits for their appointment with the rights of access to files and directories in UNIX OS. Rights (user rights) - type defined for the group of actors to perform some system operations: system installation time, archiving files, turn off the computer, etc. In these transactions involved a special-access facility operating system as a whole. Basically, it is right and not a distinguished one built by another group of users. Some have built-rights groups are also built-in to this group can not be removed. More rights groups can be built to remove (or add to the general list of rights). Potential users (user abilities) are determined for individual users to perform actions related to the formation of the operating environment, such as changing the composition of the main menu programs, access to menu Run (do), etc. By reducing the range of possibilities (which default by the user), the administrator can "compel" the user to work with the operating environment, the administrator finds that the most appropriate and shielded from the user's mistakes. The rights and permissions, the group is automatically available to its members, allowing the administrator to consider a large number of users as a unit of account information and minimize their actions. Check access permissions of an object in Windows NT are largely in line with the overall scheme of access provided in Fig. 7.29. With User login it is the so-called token access (access token), which includes the user ID and ID for all teams entered by the user. In token, there are also: access control list (ACL) by default, which consists of permits and the process used to created objects; List user to perform system actions. All objects, including files, streams, events, even tokeny access when they are created, supplied handle security. Descriptor security access control lists-ACL. The owner of the facility, usually the person who created it, has the right to control access to the polling sites, and can change the ACL facility to allow or not to allow others to access the facility. Built administrator Windows NT, unlike UNIX root may be some permits access to the facility. To realize this potential identifiers administrator group administrators can enter the ACL as identifiers of ordinary users. However, the administrator does have the opportunity to perform any operations with any objects, as it can always become the owner of the facility, and then as owner of a complete set of permits. But back possession of a previous owner of the administrator can not, so you can always know that his file, or printer worked as an administrator. At the request of some operations access to the facility in Windows NT administration has always referred monitor security, which compares the user IDs and user of token access identifiers stored in the elements of the ACL. Unlike UNIX elements ACL Windows NT may be allowed as lists, and lists of banned user operations. Security system could verify permission each time when using the facility. But ACL list consists of many elements, a process during its existence, could have access to many facilities, and the number of active processes in each time also high. Therefore, testing is done only at each opening, but not every use of the facility. To change the situation in some of their IDs in Windows NT is the embodiment of the mechanism (impersonation). Windows NT is simple entities and entities servers. The simple subject is a process which is not permitted to change the access token and hence change IDs. Entity server is a process that works as a server and service processes of their clients (for example, the file server). Therefore, such a process is allowed to get access to the token Trial client, seeking a server perform some action, and use it to access sites. In Windows NT clearly defined rules for the newly created assigned list ACL. If the concern code when creating an object clearly specifies all access rights to the newly created object, the security attributes of the object ACL. If the concern is not supplied a list of ACL, and the facility is named, then the principle of succession. Security system scans ACL of a directory of the location of the name of the new facility. Some of the entrances ACL directory sites can be labeled inherited. This means that they can be assigned to new objects created in the directory. In the case where the process is not explicitly asked for a list of ACL object and the object directory is not inherited elements ACL, ACL is a list of default access token process. Inheritance permits is used most often when a new facility. It is particularly effective when creating files, as well as the operation is performed in the most. Permission to access directories and files In Windows NT administrator can manage user access to directories and files in a partition, in which a file system NTFS. Sections FAT remedies are not supported Windows NT, as a FAT file and directory attributes not to store access control lists. Access to directories and files is controlled through the installation permits. Permits for Windows NT are customized and standard. Individual authorizations are elementary operations of directories and files, a standard of a merger of several individual permits. The following table shows the six individual permits (elementary operations), the meaning of which is for directories and files. Files in Windows NT 4 is a standard: No Access, Read, Full and Change Control, which combine individual permits listed in the following table. A Full Control Change differs from that gives the right to change permissions (Change Permission) and take possession file (Take Ownership). For directories in Windows NT identified seven standard permits: No Access, List, Read, Add, Add & Read, Full and Change Control. The following table shows that the standard of individual permits for directories, as well as the manner in which they converted to a standard individual permissions for files in a directory if files inherit a catalogue. When you create a file, he inherits a way out of the directory only if the directory is a sign of his inheritance. Standard shell Windows NT-Windows Explorer is not allowed to sign a permission for each individual (ie a mask inheritance), managing succession of "all or nothing". There are a number of rules that determine action permits. Users can work with a file or directory unless they have explicit permission to do so or they do not belong to a group that has a permit. Permits are cumulative effect, with the exception of No Access, which overrides all other existing permit. For example, if the group is allowed Engineering Change for a file, a group of Finance has for the file only a Read and Smith is a member of both groups, with Petrova will permit Change. But if permission for a group of Finance change to No Access, the Petrov will not be able to use the file, despite the fact that he was a member of the group, which has access to the file. By default, the Windows Explorer window reflected the standard of law and the transition to reflect individual rights only in the performance of some action. This stimulates the administrator and users to use those sets of rights that OS developers felt most comfortable.
Welcome    Screenshots    Download    Buy now Write to Owl    Subscribe to Owl news   FAQ   Links  
Copyright 2004-2011 OwlCom Software .

Owl Commander

OISV - Organization of Independent Software Vendors - Contributing Member Software Submit .NET - FREE and PREMIUM search engines submission and software submission and software promotion service. Owl Commander

Valid HTML 4.01 Transitional