The processes in an operating system must be protected from one another’s
tải về 252.86 Kb. Chế độ xem pdf
|
| daemon
process may be started at boot time and run as a special user ID . Users then run a separate program, which sends requests to this process whenever they need to use the facility. This method is used by the TOPS-20 operating system. In any of these systems, great care must be taken in writing privileged programs. Any oversight can result in a total lack of protection on the system. Generally, these programs are the first to be attacked by people trying to break into a system. Unfortunately, the attackers are frequently successful. For example, security has been breached on many UNIX systems because of the setuid feature. We discuss security in Chapter 15. 14.3.3 An Example: MULTICS In the MULTICS system, the protection domains are organized hierarchically into a ring structure. Each ring corresponds to a single domain (Figure 14.2). The rings are numbered from 0 to 7. Let D i and D j be any two domain rings. If j < i, then D i is a subset of D j . That is, a process executing in domain D j has more privileges than does a process executing in domain D i . A process executing in domain D 0 has the most privileges. If only two rings exist, this scheme is equivalent to the monitor–user mode of execution, where monitor mode corresponds to D 0 and user mode corresponds to D 1 . MULTICS has a segmented address space; each segment is a file, and each segment is associated with one of the rings. A segment description includes an entry that identifies the ring number. In addition, it includes three access bits |