Topic: security by access rights

topics > computer science > Group: security

file system
memory management

data type by access rights
group names
memory management by paging
memory management for programs and modules
opaque and partially-opaque data types
operating system security
security by secure domains
security by capabilities


Access rights is a common method for restricting access to a resource. Typically, a resource includes a list of users and processes that have access to the resource. Access rights may also be defined by an access matrix. Access rights are particularly common for shared file systems and databases.

Rights may apply to all components of the resource. They may be sent to another process as a capability. A program may increase its access right to that of its creator.

Access rights may apply to a group or a role. Use negative access rights to revoke privileges.

In Unix, an administrator may be a super-user with full access rights. While the super-user designation is usually secure, it is open to abuse. It makes it easy to fix user problems.

Security may also be defined by capabilities or secure domains. Access management can be cumbersome. Too many or too few rights may be granted than is appropriate. In the future, access control may need additional state, e.g., for billing purposes. (cbb 4/98)

Subtopic: access control up

Quote: users should have restricted access that is independent of other users [»robiL9_1975, OK]
Quote: security by least privilege; give only those privileges needed to accomplish the task [»schnB_2000]

Subtopic: access control by directory up

Quote: simplify user security as my documents, shared documents, and public documents in separate directories; vendors and administrators handle everything else [»lampBW6_2004]

Subtopic: access matrix up

Quote: the access matrix model concerns a set of uniquely named objects and an access domain for each process [»dennPJ_1980]
Quote: an entry in the access control matrix gives a list of permissions for processes in domain d to an object x; a bit vector access code [»dennPJ_1980]
Quote: permissions for changing the access control matrix are included in the matrix; e.g., add process to a domain and change permissions [»dennPJ_1980]
Quote: can associate an access list with each object that gives access codes for each domain; widely used for file systems [»dennPJ_1980]

Subtopic: capability vs. access list up

Quote: capabilities are more efficient for exercising permissions but access lists are better for managing permissions; should have a mix of methods [»dennPJ_1980]
Quote: access lists are stored with an object; difficult to add users since may require modification of many lists

Subtopic: automated discovery up

Quote: a user's actions implicitly specifies the desired permissions for processes and objects

Subtopic: mandatory access control up

Quote: mandatory access control limits damage a Trojan horse can do; e.g., military security levels (clearance for classified objects) [»mcleJ1_1990]

Subtopic: distributed security up

Quote: access control lists do not work well for distributed systems; need authentication, delegation, extensibility, and customized policies [»blazM_1999]

Subtopic: transfer of access rights up

Quote: a process may pass a subset of its permissions to other domains if it has 'copy' permission [»dennPJ_1980]
Quote: set-user-ID changes program access rights to those of the program's creator; allows privileged programs [»ritcDM7_1978a]
Quote: setuid is poorly designed and widely misused; causes security vulnerabilities [»chenH8_2002]
Quote: develop finite state model of user ids; uncover pitfalls in setuid, define proper usage, and propose a high-level API
Quote: setuid API for temporary and permanent privileges; works for OpenSSH; does not handle group privileges [»chenH8_2002]

Subtopic: superuser up

Quote: the Unix super-user has unrestricted access rights [»ritcDM7_1978a]
Quote: identify Andrew superusers by membership in System:Administrators; provides audit trail by user id and simple revocation of privileges [»satyM8_1989]
Quote: UNIX password system for frustrating widespread password searches; super-user passwords already effective [»morrR4_1978]

Subtopic: revocation up

Quote: use negative access rights for rapid and selective revocation of rights to sensitive objects
Quote: revoke authorities to keep the actor-ability state manageable [»yeeKP12_2002]

Subtopic: role-based security up

Quote: user group icons contain individual users or other groups; for distribution and access control [»smitDC_1982]
Quote: Quilt controls activities allowed on a node type according to social roles [»fishRS3_1988]

Subtopic: hierarchical access rights by intervals up

Quote: hierarchical access rights by interval containment in an interval tree; efficient representation for many users and access groups [»luQ_1999]

Subtopic: examples up

Quote: Vesta access control by attributes assigned to an object or parent directory; similar to Unix; e.g., user@realm, ^group@realm, #owner, #group, #mastership-to [»heydA_2006]
Quote: access list contains a 32-bit mask of positive and negative rights; unioned with group rights in 1 scan; negative overrides positive [»satyM8_1989]
Quote: access rights for directories; restrict access to a file by linking to a private directory [»satyM8_1989]
Quote: any object in a HAM database can have an access control list with access, annotate, update or destroy permissions [»campB7_1988]
Quote: an owner of a ZOG frame can add other owners, read-protect it, or write-protect it [»akscRM5_1984]
Quote: owner of a KMS frame can make it read or write protected [»akscRM7_1988a]
Quote: a KMS frame can be annotate only but most frames are left unprotected to encourage correction of typos [»akscRM7_1988a]
Quote: authorization model for relational databases; positive and negative authorizations, exceptions, groups, temporary suspensions [»bertE4_1999]

Subtopic: examples of capabilities up

Quote: assign security IDs to threads, extensions, and other objects; operations require permission; access mode is a 64-bit vector of permissions and permission objects [»grimR2_2001]
Quote: SPIN OS provides language-based, fine-grained access control and fine-grained user extensions; static type checking and dynamic linking [»bersBN12_1995]

Subtopic: problems with access control up

Note: access control and visibility tend to be either too limited or too liberal; hard to make them work [»cbb_1990, OK]
Quote: access control needs state to record the duration of code usage for billing purposes; otherwise global file systems will prevent usage-based billing [»hausRC11_1994]
Quote: lattice model of secure information flow; ignores covert channels; need access control and flow control [»dennDE5_1976]

Related Topics up

Group: file system   (9 topics, 305 quotes)
Group: memory management   (11 topics, 367 quotes)

Topic: authentication (93 items)
Topic: data type by access rights (20 items)
Topic: group names (16 items)
Topic: memory management by paging (23 items)
Topic: memory management for programs and modules (12 items)
Topic: opaque and partially-opaque data types (14 items)
Topic: operating system security (18 items)
Topic: security by secure domains (45 items)
Topic: security by capabilities
(65 items)

Updated barberCB 1/05
Copyright © 2002-2008 by C. Bradford Barber. All rights reserved.
Thesa is a trademark of C. Bradford Barber.