The processes in an operating system must be protected from one another’s
tải về 252.86 Kb. Chế độ xem pdf
|
| 630
Chapter 14 Protection that of the owner of the file: B. When the process exits, this temporary user ID change ends. Other methods are used to change domains in operating systems in which user ID s are used for domain definition, because almost all systems need to provide such a mechanism. This mechanism is used when an otherwise privileged facility needs to be made available to the general user population. For instance, it might be desirable to allow users to access a network without letting them write their own networking programs. In such a case, on a UNIX system, the setuid bit on a networking program would be set, causing the user ID to change when the program was run. The user ID would change to that of a user with network access privilege (such as root , the most powerful user ID ). One problem with this method is that if a user manages to create a file with user ID root and with its setuid bit on , that user can become root and do anything and everything on the system. The setuid mechanism is discussed further in Appendix A. An alternative to this method used in some other operating systems is to place privileged programs in a special directory. The operating system is designed to change the user ID of any program run from this directory, either to the equivalent of root or to the user ID of the owner of the directory. This eliminates one security problem, which occurs when intruders create programs to manipulate the setuid feature and hide the programs in the system for later use (using obscure file or directory names). This method is less flexible than that used in UNIX , however. Even more restrictive, and thus more protective, are systems that simply do not allow a change of user ID . In these instances, special techniques must be used to allow users access to privileged facilities. For instance, a tải về 252.86 Kb. Chia sẻ với bạn bè của bạn:
|