P rot ect ion Prot ect ing processes/ users f rom each 17: P rot - - PDF document

SLIDE 1

1

• 1

17: P rot ect ion/ Securit y

Last Modif ied: 7/ 3/ 2004 1:48:28 PM

• 2

P rot ect ion

Prot ect ing processes/ users f rom each

• t her is one of t he core OS responsibilit ies

Cont rol access of processes or users t o

resources of t he comput er syst em (HW and SW)

Ensur e r esour ces ar e oper at ed on my only t hose

pr ocesses t hat have gained pr oper aut hor izat ion

Enf or cing r esour ce limit s

• 3

Cross-cut t ing issue

CPU Scheduling

P

rot ect ion by t imer int errupt s and OS scheduling policy Pr ocess Management

P

rot ect ion by access cont rol and enf orcement of r esour ce limit s (most OS?) Vir t ual Memor y

P

rot ect ion by inabilit y t o name ot her processes memory space File Syst em

User def ined access cont rols per f ile/ direct ory

Not e: Synchr onizat ion mor e volunt ar y pr ot ect ion

by obser ving r ules wit hin a set of pr ocesses/ t hr eads t hat shar e dat a (Monit or s maybe pr ot ect ion?)

• 4

How t o do prot ect ion?

Fr om t hat br ief sur vey of OS t opics it is clear

t hat pr ot ect ion can be accomplished in many ways

P

rot ect ion can be based on t he design of t he syst em which makes access impossible (can’t even name t hings you shouldn’t access)

• E.g. VM

P

rot ect ion can be cont rollable by an OS wide policy (OS cont rols resource allocat ion)

• E.g. t imer int errupt s

P

rot ect ion can be cont rolled by user def inable access cont rols

• E.g. User can set FS access cont r ols

I mplies abilit y t o deny aut hor ized access! Abilit y

t o enf or ce t he policy!

• 5

P rinciples

Generally t he more rest rict ive t he syst em t he

mor e pr ot ect ion

“Need t o know” pr inciple says only gr ant t hose

r ight s absolut ely necessar y t o accomplish a t ask

St art out grant ing none and see where it breaks, add t he

smallest new privileges as possible

• Ex. I f a process only needs t o read/ writ e one specif ic

f ile t hen don’t give it access t o all t he user’s f iles

• Ex. Don’t give f ull root privileges j ust because need t o
• pen a por t <

1024

• 6

Policy vs Mechanism

Mechanism says “what t ypes of access ar e

possible” and “def ines t he means f or ident if ying aut hor ized vs unaut hor ized access”

Policy says “which pr ocesses/ user s should have

which kinds of access”

When building syst em best t o make mechanism

mat ch t he pr oblem domain r at her t han a par it uclar desir ed policy

More f lexible if separat e mechanism f rom policy!

Example: if your mechanism does not dist inguish

bet ween r ead and execut e r ight s t hen impossible t o hand out one wit hout t he ot her ; if mechanism does dist inguish t hen policy may never choose t o hand out one wit hout t he ot her but it could

SLIDE 2

2

• 7

Types of access

The possible t ypes of access depend on t he

resource

CPUs can be execut ed upon File can be r ead/ wr it t en/ execut ed Dir ect or ies can be r ead/ inser t ed int o/ delet ed

f r om/ t r aver sed wit hout displaying all

Tape dr ives can be r ead/ wr it t en/ r ewound

Begin by t hinking about all t he possible

act ions you might want t o allow/ disallow on an obj ect

• 8

P rot ect ion Domain

Once we det ermine all t he possible

resources in t he syst em and all t he possible t ypes of access t o t hose resources, t he next is t o t hink about all t he possible ent it ies t o whom we would like t o grant / deny right s

Associat e wit h each ent it y a “prot ect ion

domain”

Def ine a pr ot ect ion domain as a collect ion

• f access right s t o specif ied obj ect s
• 9

Typical Domain Granularit ies

One domain f or OS; one domain f or USER Domain per user Domain per process Domain per procedure …

• 10

Recall: Kernel/ User Mode

Har dwar e needs t o be able t o dist inguish t he OS

f r om user apps

Cont rols abilit y t o execut e privileged inst ruct ions et c

Most ar chit ect ur es have a “mode” value in a

pr ot ect ed r egist er

When user applicat ions execut e, t he mode value is set t o

• ne t hing

When t he OS kernel execut es, t he mode value set t o

somet hing else

I f code running in user mode, an at t empt t o execut e

prot ect ed inst ruct ions will generat e an except ion

Swit ching t he mode value must of course be prot ect ed

• 11

Syst em Call I llust rat ed

User mode Kernel mode File.open(“/ home/ README”) Save user r egist er s and mode, lookup SYS_OPEN in a t able of syst em call pr ocedur es, Change mode bit , j ump t o t he ker nelOpen procedure Syst emCall (SYS_OPEN, “/ home/ README”) kernelOpen(“/ home/ README”, t his applicat ions access right s) Resume applicat ion wit h f ile

• pened or er r or

Rest ore user mode and applicat ion’s regist ers et c.

• 12

I s Kernel/ User dist inct ion enough?

Not if want t o dist inguish bet ween users!

How can we dist inguish bet ween user s?

I s user t he best t hing t o base domain on?

Do you want all pr ocesses you r un t o have your

f ull privileges?

Do you ever need special pr ivileges but not all

• f root access?

SLIDE 3

3

• 13

Dist inguishing users: Logging in

When a user logs in, t hey supply a passwor d which

is checked against a passwor d list

I n UNI X, passwor ds st or ed in f ile / et c/ passwd

What is in t his f ile?

Naïve appr oach: f ile wit h ever yone’s passwor d in it

(but what if t hat f ile is compr omised)

Bet t er : keep a f ile wit h hash(passwor d)

One way hash f unct ion makes it hard t o get f rom

hash(password) t o password but easy t o go password t o hash(password)

Now can dist ribut e t he password f ile in plain t ext and

passwords not revealed

• 14

Ot her at t acks?

Dict ionar y at t ack?

Compile a list of common passwords (all English words f or

example) and comput e hash(password) on all of t hem

Compare cont ent s of password list t o t his dict ionary list

Solut ion? Salt

P

assword f ile ent ry = hash (salt +password)

St ore salt in clear Bad guy can’t j ust use a pre- generat ed dict ionary f ile –

has t o have a dif f erent one f or each person’s salt

UNI X uses a 12- bit salt

• so need 212 dif f erent dict ionary f iles – one f or each salt
• I s 4096 t imes har der har d enough?
• 15

Bet t er passwords?

Words in English dict ionary? 250,000

http://www.askoxford.com/asktheexperts/faq/about

words/numberwords Possible 8 charact er passwords if j ust

let t ers: 528= 53,459,728,531,456

I f add digit s: 628 I f add punct uat ion (32 punct uat ion

charact ers??): 948

• 16

Dist inguishing users (con’t)

Some syst ems allow ot her machines t o vouch f or

t he ident if y of a user

• Ex. Rsh/ r cpy et c allow user t o specif y a list of

user s and machines allowed t o act like t hem (wit hout a passwor d)

Example: .rhost s says allow j nm @ * t o log in as me

Then if t here is an j nm account on any machine it can act

like me

Even if is says j nm @ mymachine ot her machines can

masquerage as mymachine

Bad st uf f !

• 17

Logging in

Recall: in last st ages of boot pr ocess, OS cr eat es

a pr ocess called init

I nit does var ious impor t ant housecleaning

act ivit ies including maint aining a pr ocess f or each t er minal por t (t t y)

Get t y t hen execut es t he login pr ogr am on t hat t t y Login get s user name/ passwor d f r om user , r eads

/ et c/ passwor d, comput es hash(salt +passwor d) and compar es

I f login successf ul, login will spawn a shell pr ocess

f or t he user

Shell and all it s childr en r un wit h t hat user ’s

pr ivileges

• 18

User’s processes

OS will keep maint ain memory prot ect ion

(even amongst processes belonging t o t he same user)

OS will also check f ile permissions f or all

f iles t he process at t empt s t o access/ creat e

More on f ile permissions lat er..

SLIDE 4

4

• 19

Root

Root is j ust a special userI d Can correspond t o many user names in

/ et c/ password, but any user wit h userI d 0 is r oot

OS gives processes wit h userI d 0 special

pr ivileges e.g.:

Opening pr ivileged por t s Reading/ wr it ing/ execut ing all f iles Becoming any ot her user Exceeding t he FS quot as (like FFS’s 10% of

r eser ve)

• 20

Set Uid

Set Uid allows a pr ocess t o be r un * by* one user

but * wit h t he per missions* of anot her user

Set Uid/Set gid syst em calls Set Uid is also charact erist ic of a program in t he f ile

syst em E.g. A Set Uid r oot pr ogr am could be r un by nor mal

user s but would r un wit h r oot pr ivileges

Good idea t o set up a special userI d wit h j ust t he

pr ivileges you need and set Uid t hat user r at her t han r oot

• 21

Caref ul

I f become root (or any user) once, can

make a set uid program t hat can be used any t ime!

Some syst ems r equir e all set Uid pr ogr ams t o be

in a special dir ect or y t hat can be monit or ed Alt ernat ive: daemon process running wit h

root privileges t o which users can send request s f or act ions

Car ef ul wit h t hese t oo – many at t acks f ocused

• n holes in t hese!
• 22

Domain per process

Good f or programmer t o be able t o limit

t he prot ect ion domain of a process t o t he minimal set necessary t o accomplish a t ask

Why do I have t o give ever y pr ocess I r un my

f ull access r ight s!

Troj an horses?

Even wit hin a process, t he right s necessary

may vary over t he lif et ime of t he process

I f only need t o cer t ain pr ivileges t o init ialize,

why keep t hem f or t he ent ire lif e of t he pr ocess when t hey might be exploit ed lat er

• 23

limit / ulimit get rlimit/ set rlimit

Limit r esour ce usage of a pr ocess and it s

descendent s

Examples limit s

Limit dat a segment / heap/ st ack Limit amount of address space mapped (VM limit ) Limit max CP

U t ime

Limit size of creat ed f iles and number of f iles Limit max core f ile size

Each descendent get s t o r each t he limit not

cumulat ive – so st ill can exceed wit h lot s of children

Sof t / hard limit s

Any user can decrease or increase up t o hard limit Only root can raise hard limit s

• 24

Ot her limit s

Quot a – allows limit ing users consumpt ion

• f har d disk space

Chroot – makes a specif ied direct ory t he

root of a processes f ile syst em such t hat it cannot access t he rest of t he f ile syst em

Free BSD has “j ail” f or conf ining root t o a

subset of special privileges

ht t p:/ / docs.f r eebsd.or g/ 44doc/ paper s/ j ail/ j ail.

ht ml

SLIDE 5

5

• 25

P luggable Aut hent icat ion Modules (P AM)

Linux pluggable user log in procedures

Allow var ious passwor d syst ems, smar t car ds,

anyt hing behind a st andar d int er f ace Applicat ions like login or f t pd needn’t be

rewrit t en f or each new mechanism

PAM also allows set t ing per user resource

limit s (similar t o ulimit)

• 26

Domain per P rocedure

???

• 27

Access Mat rix

Now we’ve f igured out all t he obj ect s we

want t o prot ect , t he t ypes of access we might want t o grant and t he ent it ies t o whom we will grant t hem

Result = Access Mat r ix

Rows of mat r ix can be domains

• Regardless of granularit y of domain
• I f domain per user t hen row per user

Columns ar e obj ect s or r esour ces Values at ent r y(i,j ) says r ight s domain i has t o

• bj ect j
• 28

Access Mat rix

Figure A

• 29

I mplement at ion of Access Mat rices

2D ar r ay – how hard can t hat be? Well it s not har d but it is big and of t en f illed wit h

lot s of 0’s

I f most domains include have permissions t o only a f ew

• bj ect s t hen will be lot s of wast ed space

Avoid t his by chopping up t he access mat rix and

compressing OS may also choose t o divide up int o logical

sect ions (I .e. all pr ot ect ion inf o r elat ed t o f iles in

• ne place and all pr ot ect ion inf o r elat ed t o user s

in anot her )

Also compr ession f r om domain = gr oups of user s Also compr ession f r om inher it ance

• 30

Access List

Chop access mat rix int o columns and don’t

list domains t hat have no access

Wit h each obj ect st ore t he list of domains

t hat can access it and in what ways

A domain t hat is not present in t he list has

no access right s

Easy t o set a def ault set of right t o an

• bj ect and t hen only need t o ent er

except ions t o t he def ault

SLIDE 6

6

• 31

Capabilit ies

Chop access mat r ix int o r ows and don’t list obj ect s

f or which you have no r ight s

Wit h each domain st or e t he list of obj ect s it can

access and in what ways

Somet imes simply knowing t he name of an obj ect

gives you access

Managed by t he OS (not managed by

pr ocess/ user s dir ect ly)

Usually process given a handle and t he capabilit y point ed

t o by t he handle but st ored in t he OS

P

resent capabilit y on every access

• 32

Speed of access?

Wit h pure access list s, access list must be

sear ched on each access = slow

Capabilit ies on t he ot her hand can be

• bt ained once and t hen present ed wit h

each access

Fast as validit y check on capabilit y I f st or ed in OS and pr ocess j ust get s a handle

t hen can assume valid

• 33

Revocat ion of Access Right s

Does revocat ion t ake place immediat ely or

is t here some propagat ion delay? I f t here is a delay is it bounded?

When a given right is revoked does can it

ef f ect j ust one domain or all? (example: changing a lock vs removing one user f rom an access list )

Can we revoke j ust a f ew right s t o an

• bj ect or must we revoke t hem all?

Can access be permanent ly revoked or can

it be r evoked and lat er obt ained again?

• 34

Access list s vs capabilit ies

Wit h access list s, revocat ion is easy

List of r ight s held wit h obj ect , simply edit it in

• ne place

Revocat ion is immediat e and can be f lexible

whet her it is gener al/ select ive, t ot al/ par t ial and per manent / t empor ar y Capabilit ies make it harder

List of r ight s st or ed wit h each domain How do we f ind ever yone wit h a given r ight ?

• 35

Support f or revocat ion in capabilit y based syst ems

P

eriodically have right s t ime out and f orce t hem t o be reacquired so can bound t ime t ill revocat ion t akes place (not immediat e)

Maint ain back-point ers t o all domains

holding a capabilit y so can f ind and r evoke at any t ime(cost ly!)

Maint ain a mast er key f or each obj ect

When gr ant capabilit y give copy of mast er key To r evoke, change mast er key Then ever yone will have t o r eacquir e (not

select ive)

• 36

Combining access list s and capabilit ies

I n many OS, on f ir st access sear ch access list Then ent er a capabilit y in t he OS f or t his pr ocess

and r et ur n a “handle” t o t his capabilit y t o pr ocess

Example: f ile handles

When open a f ile, search access list in f ile syst em I f open succeeds, ent er an open f ile point er in t he

address space of t he process along wit h point er t o f ile buf f ers, vnode, et c

Ret urn a f ile descript or or f ile handle which is simply an

• f f set int o an open f ile t able

Use f ile descript or on each addit ional access OS uses open f ile inf o but doesn’t recheck permissions

f or each access

SLIDE 7

7

• 37

Experiment

Writ e a program t o open a f ile and t hen

access it many t imes (maybe ask user bef ore each access)

Af t er open done successf ully and a couple

accesses done ok change permissions in t he f ile syst em t o disallow access

Does it allow addit ional accesses or not ?

• 38

Right t o t he access mat rix?

I n addit ion t o obj ect in t he mat r ix, we can also

t hink about r ight s t o t he mat r ix it self

Who can add right s t o an ent ry? Who can swit ch which domain is act ive? Who can add domains?

Addit ional r ight s

Copy right – allow copying of right s t o ot her domains Transf er – migrat e right s f rom one domain t o anot her

(dif f erent t han copying)

Owner right – addit ion of new right s or removal of right s Swit ch r ight

– abilit y t o swit ch t o a domain, consider domains as obj ect

…

• 39

Access List s in Unix FS

Unix FS usually cont ain access list s wit h

each f ile

Not very ext ensive access list s t hough!

Usually j ust able t o specif y r ead, wr it e and

execut e r ight s f or t hr ee gr oups: user , gr oup and wor ld Can imagine more ext ensive access list

inf ormat ion t han t his?

P

RO: more f lexible

CON: mor e st or age

• 40

More ext ensive mechanisms

More ext ensive list of possible right s?

Lar ger list of possible r ight s t o f iles (not j ust

r ead/ wr it e/ execut e) Finer granularit y cont rol of who accesses?

Allow list of user s r at her t han user / gr oup/ all

Finer grain mechanism allows policies t hat

bet t er mat ch “need t o know” principle

• 41

AFS access cont rol list s

Abilit y t o specif y addit ional t ypes of

access right s on a direct ory

Administ er , delet e, inser t , lookup, r ead, wr it e Gr oup int o cat egor ies

• Read access – j ust read
• Writ e access – all but administ er
• None
• All

Can specif y a separat e set of access right s

f or all users and groups (not j ust single user and group)

• 42

AFS Example

Example: % fs setacl -dir . -acl pat:friends rl smith write % fs listacl -path . Access list for . is Normal rights:

pat:friends rl smith rlidwk

SLIDE 8

8

• 43

Windows NT f amily

Designed wit h pr ot ect ion/ secur it y in mind f r om

t he beginnning

Pr ot ect ion f or f iles, devices, mailslot s, pipes, j obs,

pr ocesses, t hr eads, event s, mut exes, semaphor es, t imer s, r egist r y keys,…

Even ear ned a secur it y r at ing f r om t he

gover nment

Secure logon f acilit y Discret ionary access cont rol: allow owner t o specif y who

can access obj ect in what way

Securit y audit ing Obj ect reuse prot ect ion: zero out all obj ect s bef ore

reallocat e

• 44

NT Access Cont rol List s

Two t ypes DACL

Specif y t ypes of access t o obj ect List of access cont r ol ent r ies t hat can eit her

specif y t o allow or deny access SACL

Specif y audit ing t o be done on access t o obj ect Specif y bot h who should audit ed and what ops

should be audit ed

• 45

Hydr a

Mult iprocessor OS f rom CMU 1974 Ext remely f ine grained and f lexible

prot ect ion syst em

Used capabilit ies Ear ly “obj ect-orient ed” syst em – wit h OS

support f or obj ect s

Ext ensible securit y syst em

User s could def ine new t ypes of obj ect s t o be

pr ot ect ed

• 46

Hydra Obj ect s

Each obj ect has wit h it a collect ion of

access right s

Manipulat ed by OS so unf or geable Ver y ear ly OOP concept s Each obj ect def ined by dat a, oper at ions t hat

can be applied and collect ion of access r ight s t o it Kernel provided operat ions f or t he

def init ion of new t ypes of obj ect and associat ed right s

• 47

Hydra procedures

Each pr ocedur e has it s code and a list of caller

independent capabilit ies and caller dependent capabilit ies (holes)

Local Name Space (LNS)

When call a procedure f ill in “holes” wit h your own

current capabilit ies and gain t he caller independent capabilit ies t o f orm a current set of capabilit ies Pr ocess = st ack not j ust of pr ocedur es but also of

capabilit ies!!

Gr eat f lexibilit y!

Each procedure can upgrade right s f or j ust t hat

procedure and also base access on right of caller

• 48

Hydra vs OOP P rogramming

HYDRA

Obj ect Type Capabilit y Local Name Space Pr ocedur e Templat es Call Mechanism

Pr ogr amming Language

Var iable (Obj ect ) Type Point er + (Access

Type?)

Act ivat ion Recor d Pr ocedur e/ subr out ine For mal par amet er

specif icat ion

Subr out ine call

SLIDE 9

9

• 49

Hydra P ros and Cons

Ver y f lexible syst em

I mplement “need t o know” principle t o level of every

• bj ect and every procedure!

Requir es domain swit ch f or ever y pr ocedur e call

and access r ight s f or each obj ect

GOOD: Each procedure has only right s required BAD: Expensive t o check const ant ly

• OS t r ap per pr ocedur e call

Moder n OS suppor t f or pr ot ect ion not t his

ext ensive

As we have ext ra perf ormance and securit y more of a

wor r y… .

• 50

Language-Based P rot ect ion

How f ar can you get wit h j ust language

support and not OS support ?

J ava VM? Do you t rust your compiler?

Gr eat r ead f or t his week “Ref lect ions on

Trust ing Trust ”

• 51

P rot ect ion vs Securit y

So f ar we have been dealing wit h pr ot ect ion Pr ot ect ion deals wit h int er nal access cont r ols

Users must log in Access t o resources t racked at cert ain granularit y Access is grant ed by way of access list or capabilit y

Secur it y on t he ot her hand deals mor e wit h

ext er nal access cont r ols

Much more wide reaching! P

hysical securit y

Psychological at t acks Et c.

• 52

Example

We discussed how dif f icult it would be t o guess

someone’s passwor d

We considered t hings like t he lengt h of t he key and t he

t ypes of valid charact ers

We also discussed brief ly t he t endency of people t o

choose passwords f rom a much narrower space Secur it y would also consider

P

hysical int imidat ion/ bribes t o get people’s passwords

P

hysical access t o a machine

St unt s like pret ending t o be a syst em administ rat or t o

get someone t o volunt arily reveal t heir password

• 53

P hysical Securit y

Ar e you sur e someone can j ust walk int o your

building and

St eal f loppies or CD- ROMs t hat are lying around? Bring in a lapt op and plug int o your dhcp- enable et hernet

jacks?

Reboot your comput er int o single user mode? (using a

bios password?)

Reboot your comput er wit h a live CD- ROM and mount t he

drives?

Sit down at an unlocked screen?

Can anyone sit down out side your building and get

• n your DHCP-enable 802.11 net wor k?
• 54

Social Engineering

Using t r icks and lies t hat t ake advant age of

people’s t r ust t o gain access t o an ot her wise guar ded syst em.

Social Engineering by P

hone: “Hi t his is your visa credit card company. We have a charge f or $3500 t hat we would like t o verif y. But , t o be sure it ’s you, please t ell me your social securit y number, pin, mot her’s maiden name, et c”

Dumpst er Diving: collect ing company inf o by searching

t hr ough t r ash.

Online: “hi t his is Alice f rom my ot her email account on

• yahoo. I believe someone broke int o my account , can you

please change t he password t o “Sucker”?

P

ersuasion: Showing up in a FedEx or police unif orm, et c.

Bribery/ Threat s

SLIDE 10

10

• 55

Administ rat ors

Per sons managing t he secur it y of a valued r esour ce

consider f ive st eps:

1.

Risk assessment : t he value of a resource should det ermine how much ef f ort (or money) is spent prot ect ing it .

• E.g., I f you have not hing in your house of value do you need t o

lock your door s ot her t han t o pr ot ect t he house it self ?

• I f you have an $16,000,000 ar t wor k, you might consider a

secur it y guar d. (can you t r ust t he guar d?)

• 2. P
• licy: def ine t he responsibilit ies of t he organizat ion, t he

employees and management . I t should also f ix responsibilit y f or implement at ion, enf orcement , audit and r eview.

• 56

Administ rat ors

• 3. Pr event ion: t aking measur es t hat pr event

damage.

• E.g., f irewalls or one- t ime passwords (e.g., s/ key)
• 4. Det ect ion: measur es t hat allow det ect ion of

when an asset has been damaged, alt er ed, or copied.

• E.g., int rusion det ect ion, t rip wire,

comput erf orensics

• 5. Recover y/ Response: r est or ing syst ems t hat

wer e compr omised; pat ch holes.

• 57

Out t akes

Rings in Mult ics

• 58

Ulimit

Linux/ t asks.h Under st anding t he Linux ker nel p 78-80 ht t p:/ / www.exper t s-

exchange.com/ Oper at ing_Syst ems/ Linux/ Q_20 291950.ht ml ht t p:/ / seif ried.or g/ lasg/ users

• 59

Syst em Management Tasks

I n Unix usually boils down t o abilit y t o

read/ writ e prot ect ed f iles

Edit ing / et c/ passwor d, / et c/ gr oup et c St ar t ing ser vices wit h / et c/ rc Adding devices/ mount ing f ile syst ems

I n Windows NT f amily, boils does t o

regist ry access permissions

Adding user s and gr oups Managing devices St ar t ing ser vices

Dif f erent int erf ace similar f unct ionalit y

• 60

Windows NT Access Cont rol List s

DENY/ ALLOW ent r ies Obey f irst mat ching ent ry Saf er t o put deny ent r ies f ir st Two t ypes: DACL (access) and SACL (audit ing) FS per missions vs pr ivileges

Some permissions bypassed if have appropriat e privilege E.g. if have backup privilege (SE_BACKUP

_NAME)can read any f ile regardless of FS permissions

E.g. Bypass t raverse checking privilege allows user t o

access C:\ f oo\ bar \ baz even if t hey don’t have access t o C:\ f oo

SLIDE 11

11

• 61

NT

I nherit ance of access right s

I f obj ect doesn’t have ACL go up t r ee t o

par ent s unt il f ind somet hing t hat is inher it able

• 62

Novell Access List s

Obj ect Right s

Browse, creat e, delet e, inherit ance cont rol, rename

At t r ibut e Right s

Compare (t est but not read), read, add/ delet e self , writ e

Not e t o ot her obj ect s besides f iles

• Ex. Compare used t o say is t his your password (but not t o

read password)

• Ex. Add/ delet e self t o mailing list : can’t read rest of list
• r writ e ot hers but can add/ remove self
• 63

Novell

NDS specif ic Permissions set on FS are SRWECMFA I RF/ I RM (inherit ed right s f ilt er vs

inherit ed right s mask)

Set on obj ect t o st op t he f low of cer t ain

per missions f r om t he par ent