PROTECTION/PROTECTED_SUBS Aegis PROTECTION/PROTECTED_SUBS
NAME
protection/protected subsystems - Details about Protected Subsystems
DESCRIPTION
The protected subsytems mechanism is a part of the operating system's
protection capabilities. In contrast to the Access Control List (ACL)
mechanism, which allows you to specify WHO can access files, protected
subsystems provide you the added ability to define exactly HOW those
files can be accessed. Using protected subsystems, you can tightly
control the range of permissable operations that users may perform on
files.
Protected subsystems allow you to designate a body of data (a protected
collection of files) for use solely by specified programs (managers of a
subsystem). This permits broad groups of users (specified by ACL
information) to access data via the managing programs of a subsystem.
Typically, the subsytem managers perform operations that a normal user
would be prohibited from doing -- for instance, modifying the network
registry files. Since the files in use, however (registry files, in our
example), are opened only by the managing programs which filter the
user's requests, users may perform operations that previously were
restricted to trusted people.
BASIC CONCEPTS
In more detail, a protected subsystem is composed of a set of programs
and a set of objects (data files). The programs are called the MANAGERS
of the protected subsystem; the objects are called PROTECTED OBJECTS and
are said to be OWNED by the subsystem. For an object to be owned by a
subsystem, it must be SEALED by that subsystem. When you run a
subsystem's manager program, you are said to be RUNNING INSIDE THE
SUBSYSTEM, or simply INSIDE the subsystem; at other times, you are
OUTSIDE the subsystem. The operating system defines ways of accessing or
operating on objects, primarily via mapping and via file operations
(i.e., reads and writes); these are called BASE ACCESSES or BASE
OPERATIONS. Collectively, the managers of a subsystem create and define
a broader set of operations that can be performed upon the objects owned
by the subsystem; these are called EXTENDED ACCESSES or EXTENDED
OPERATIONS.
Notice that the integrity of a subsystem's objects is maintained only so
long as the subsystem's manager programs retain sole access to them
(assuming the programs contain no bugs); what the protected subsystem
mechanism does is allow a subsystem to ENFORCE this protection property.
The primary enforcement mechanism is to allow a subsystem to restrict
base access to an object (for instance, reading and writing a protected
file) to processes running inside the subsystem. The managers of a
subsystem have (potentially, at least) ALL base rights to the objects
owned by the subsystem. Thus, only the managers can directly read and
write their protected objects, and all user operations on protected
objects must be via the subsystem's extended operations. Thus users
might not read and write the protected files directly, but only through
(and under the supervision of) a subsystem manager.
SEE ALSO
protected_subsystems
for more information on the commands that maintain protected subsystems.
acls
for more information on the commands that manipulate ACLs.
protection
for more information on protection in general.
protection rights
for more information on base access rights.
protection sids
for information on Subject Identifiers (SIDs).
protection acls
for information about ACLs.