daemon
process
may be started at boot time and run as a special
user
ID
. Users then
run a separate program, which sends requests to this process whenever they
need to use the facility. This method is used by the
TOPS-20
operating system.
In any of these systems, great care must be taken in writing privileged
programs. Any oversight can result in a total lack of protection on the system.
Generally, these programs are the first to be attacked by people trying to
break into a system. Unfortunately, the attackers are frequently successful.
For example, security has been breached on many
UNIX
systems because of the
setuid feature. We discuss security in Chapter 15.
14.3.3 An Example: MULTICS
In the
MULTICS
system, the protection domains are organized hierarchically
into a ring structure. Each ring corresponds to a single domain (Figure 14.2).
The rings are numbered from 0 to 7. Let D
i
and D
j
be any two domain rings.
If j < i, then D
i
is a subset of D
j
. That is, a process executing in domain D
j
has more privileges than does a process executing in domain D
i
. A process
executing in domain D
0
has the most privileges. If only two rings exist, this
scheme is equivalent to the monitor–user mode of execution, where monitor
mode corresponds to D
0
and user mode corresponds to D
1
.
MULTICS
has a segmented address space; each segment is a file, and each
segment is associated with one of the rings. A segment description includes an
entry that identifies the ring number. In addition, it includes three access bits
Chia sẻ với bạn bè của bạn: |