Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ protected_subsystems — Apollo

Media Vault

Software Library

Restoration Projects

Artifacts Sought

PROTECTION/PROTECTED SUBSYSTEMS  -- Details about Protected Subsystems     83/08/05

  The protected subsytems mechanism is a part of AEGIS protection capabilities.
  In contrast to the Access Control List (ACL) mechanism, which allows you to
  specify WHO can access files, protected subsystems provide you the added
  ability to define exactly HOW those files can be accessed.  Using protected
  subsystems, you can tightly control the range of permissable operations that
  users may perform on files.

  Protected subsystems allow you to designate a body of data (a protected
  collection of files) for use solely by specified programs (managers of a
  subsystem).  This permits broad groups of users (specified by ACL information)
  to access data via the managing programs of a subsystem.  Typically, the
  subsytem managers perform operations that a normal user would be prohibited
  from doing -- for instance, modifying the network registry files.  Since the
  files in use, however (registry files, in our example), are opened only by
  the managing programs which filter the user's requests, users may perform
  operations that previously were restricted to trusted people.


BASIC CONCEPTS

  In more detail, a PROTECTED SUBSYSTEM is composed of a set of programs and
  a set of objects (data files).  The programs are called the MANAGERS of the
  protected subsystem; the objects are called PROTECTED OBJECTS and are said to
  be OWNED by the subsystem.  For an object to be owned by a subsystem, it must
  be SEALED by that subsystem.  When you run a subsystem's manager program,
  you are said to be RUNNING INSIDE THE SUBSYSTEM, or simply INSIDE the
  subsystem; at other times, you are OUTSIDE the subsystem.  The operating
  system defines ways of accessing or operating on objects, primarily via
  mapping and via file operations (i.e., reads and writes); these are called
  BASE ACCESSES or BASE OPERATIONS.  Collectively, the managers of a subsystem
  create and define a broader set of operations that can be performed upon the
  objects owned by the subsystem; these are called EXTENDED ACCESSES or
  EXTENDED OPERATIONS.

  Notice that the integrity of a subsystem's objects is maintained only so
  long as the subsystem's manager programs retain sole access to them (assuming
  the programs contain no bugs); what the protected subsystem mechanism does
  is allow a subsystem to ENFORCE this protection property.

  The primary enforcement mechanism is to allow a subsystem to restrict base
  access to an object (for instance, reading and writing a protected file) to
  processes running inside the subsystem.  The managers of a subsystem have
  (potentially, at least) ALL base rights to the objects owned by the subsystem.
  Thus, only the managers can directly read and write their protected objects,
  and all user operations on protected objects must be via the subsystem's
  extended operations.  Thus users might not read and write the protected
  files directly, but only through (and under the supervision of) a subsystem
  manager.

  More information is available.  Type:

   - HELP PROTECTION
     for more information on protection in general.

   - HELP PROTECTION RIGHTS
     for more information on base access rights.

   - HELP ACLS
     for more information on the commands that manipulate ACLs.

   - HELP PROTECTED_SUBSYSTEMS
     for more information on the commands that maintain protected subsystems.

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026