13. Permissions (part II), multifile C project

Permissions. Hard case

DAC (discrete access control): subject-subject model

Reprise: rwx*ugo

chmod
Octal equivalent of attributes
Directory permissions
- x versus r
- t-bit (octal?)
SetUID/setGID

SetGID directory traversal (as seen on TCB)

How i works

DAC (discrete access control) pitfalls

one type of mutlisubject (e. g. cannot separate groups RO, WO and no access in the same time)
Complexity of exceptional access control (e. g. restrict for one user)

Capabitities (see also insecure.ws docs

root is dangerous
⇒ many separate privilege escalations
setcap
flexible on execve()
example: ping

Other permission schemes:

Policy Kit: special library for authentificating queries from non-privileged prtocesses to privileged ones. Uses D-Bus.
- docs

Mandatory access control

MAC: (mandatory access control): subject-object model

Table subjects×objects
- → $$\oo$$
- ⇒ almost any combination
- conmplex logic of inheritance
- e. g. windows

Table ACL

acl
- setfacl/getfacl

Rule-based ACL

Multifile C progect

TODO

libraries
local/global
build dependencies, tree-like build sequence
make, docs

H/W

TODO

HSE/ProgrammingOS/13_PermissionsAndMakefile (последним исправлял пользователь FrBrGeorge 2020-03-06 16:11:17)

Page.execute = 0.004s
getACL = 0.034s
init = 0.001s
load_multi_cfg = 0.000s
run = 0.360s
send_page = 0.344s
send_page_content = 0.045s
total = 0.361s