Computational model
Set of entities (objects) managed by the OS kernel.
High-level abstractions are supported transparently by low-level mechanisms.
Processes.
User identifiers.
Users;
Groups.
Virtual memory.
Files and file systems.
Directories;
Files;
Special files.
Communication channels.
Pipes;
Sockets;
Etc.
Physical devices.
Storage;
Tapes;
Magnetic disks;
Optical disks;
SSD.
Network interfaces
Wired, wireless.
Human-computer interfaces.
Keyboards;
Graphical screens;
Text consoles;
Mice.
Serial/parallel I/O interfaces
USB;
Serial & parallel ports;
Bluetooth.
User identifiers
For the OS kernel, a user is a number.
It is established during a login operation.
User ID (UID).
All activities are executed on a computer on behalf of a UID.
The UID allows the kernel to assert what is allowed/denied to processes.
Linux: UID 0 is omnipotent (root).
Administration activities are usually executed with UID 0.
Windows: the concept of privileges.
For administration, system configuration, etc.
There is no unique, well-known identifier for an administrator.
Administration privileges can be bound to several UIDs.
Usually through administration groups;
Administrators, Power Users, Backup Operators.
Linux: the concept of capabilities (similar to privileges).
Group identifiers
Groups also have an identifier.
A group is a set of users;
A group can be defined by including other groups;
Group ID (GID).
A user can belong to several groups.
Actual user rights = UID rights + rights of his groups’ GIDs.
In Linux, all activities are executed on behalf of a set of groups.
Primary group.
It is typically used for setting file protection.
Secondary groups.
Processes
A process defines the context of an activity.
For making security-related decisions.
For other purposes (e.g. scheduling).
Security-related context.
Identity (UID and GIDs).
Fundamental for enforcing access control.
Resources being used.
Open files.
Including communication channels.
It is reserved for virtual memory areas.
CPU time used.
Last updated