PROTECTION/PROTECTED SUBSYSTEMS -- Details about Protected Subsystems 83/08/05
The protected subsytems mechanism is a part of AEGIS protection capabilities.
In contrast to the Access Control List (ACL) mechanism, which allows you to
specify WHO can access files, protected subsystems provide you the added
ability to define exactly HOW those files can be accessed. Using protected
subsystems, you can tightly control the range of permissable operations that
users may perform on files.
Protected subsystems allow you to designate a body of data (a protected
collection of files) for use solely by specified programs (managers of a
subsystem). This permits broad groups of users (specified by ACL information)
to access data via the managing programs of a subsystem. Typically, the
subsytem managers perform operations that a normal user would be prohibited
from doing -- for instance, modifying the network registry files. Since the
files in use, however (registry files, in our example), are opened only by
the managing programs which filter the user's requests, users may perform
operations that previously were restricted to trusted people.
BASIC CONCEPTS
In more detail, a PROTECTED SUBSYSTEM is composed of a set of programs and
a set of objects (data files). The programs are called the MANAGERS of the
protected subsystem; the objects are called PROTECTED OBJECTS and are said to
be OWNED by the subsystem. For an object to be owned by a subsystem, it must
be SEALED by that subsystem. When you run a subsystem's manager program,
you are said to be RUNNING INSIDE THE SUBSYSTEM, or simply INSIDE the
subsystem; at other times, you are OUTSIDE the subsystem. The operating
system defines ways of accessing or operating on objects, primarily via
mapping and via file operations (i.e., reads and writes); these are called
BASE ACCESSES or BASE OPERATIONS. Collectively, the managers of a subsystem
create and define a broader set of operations that can be performed upon the
objects owned by the subsystem; these are called EXTENDED ACCESSES or
EXTENDED OPERATIONS.
Notice that the integrity of a subsystem's objects is maintained only so
long as the subsystem's manager programs retain sole access to them (assuming
the programs contain no bugs); what the protected subsystem mechanism does
is allow a subsystem to ENFORCE this protection property.
The primary enforcement mechanism is to allow a subsystem to restrict base
access to an object (for instance, reading and writing a protected file) to
processes running inside the subsystem. The managers of a subsystem have
(potentially, at least) ALL base rights to the objects owned by the subsystem.
Thus, only the managers can directly read and write their protected objects,
and all user operations on protected objects must be via the subsystem's
extended operations. Thus users might not read and write the protected
files directly, but only through (and under the supervision of) a subsystem
manager.
More information is available. Type:
- HELP PROTECTION
for more information on protection in general.
- HELP PROTECTION RIGHTS
for more information on base access rights.
- HELP ACLS
for more information on the commands that manipulate ACLs.
- HELP PROTECTED_SUBSYSTEMS
for more information on the commands that maintain protected subsystems.