next up previous contents
Next: Inheritance Up: Access lists Previous: Access lists   Contents

Mapping elements of $ \frac {F}{\mathcal{R}_G}$ to those of $ \mathcal{P}(R)$

For each program, we must be able to give a permissions set. We gather programs into equivalence classes of $ \frac {F}{\mathcal{R}_G}$. Thanks to the canonical bijection between $ G$ and $ \frac {F}{\mathcal{R}_G}$, which maps $ x \in G$ to $ \bar{x} \in \frac {E}{\mathcal{R}_G}$, this amount to giving to each element of $ G$ a permissions set. This permission set is a subset of $ R$, which can be made by selecting rows in the table in section [*].

We saw in section [*] that we can also reduce the number of rows of the table using the underlaying structure of the filesystem hierarchy.

We will carry on with the example of the figure [*], where $ G=\{\texttt{/}, \texttt{/usr/bin/}, \texttt{/etc/}\}$. Let's define $ \beta$'s graph for example as following:

$\displaystyle \beta(\texttt{/})=H_{\texttt{/}}$ $\displaystyle =$ $\displaystyle \{\texttt{/},\texttt{/usr/}\}$  
$\displaystyle \beta(\texttt{/usr/bin/})=H_{\texttt{/usr/bin/}}$ $\displaystyle =$ $\displaystyle \{\texttt{/},\texttt{/etc/}, \texttt{/usr/bin/lpr}\}$  
$\displaystyle \beta(\texttt{/etc/})=H_{\texttt{/etc/}}$ $\displaystyle =$ $\displaystyle \{\texttt{/},\texttt{/usr/}, \texttt{/usr/etc/fstab}\}$  

This lead to figures [*], [*] and [*].

Figure: From $ H_{\texttt{/}}$ to the equivalence classes of $ \frac {F}{\mathcal{R}_{H_{\texttt{/}}}}$.
\includegraphics[width=4cm]{fig/hf1.eps} to 1cm to 2cm $ \longrightarrow$ \includegraphics[width=4cm]{fig/hf1qs.eps}

Figure: From $ H_{\texttt{/usr/bin/}}$ to the equivalence classes of $ \frac {F}{\mathcal{R}_{H_{\texttt{/usr/bin/}}}}$.
\includegraphics[width=4cm]{fig/hf2.eps} to 1cm to 2cm $ \longrightarrow$ \includegraphics[width=4cm]{fig/hf2qs.eps}

Figure: From $ H_{\texttt{/etc/}}$ to the equivalence classes of $ \frac {F}{\mathcal{R}_{H_{\texttt{/etc/}}}}$.
\includegraphics[width=4cm]{fig/hf3.eps} to 1cm to 2cm $ \longrightarrow$ \includegraphics[width=4cm]{fig/hf3qs.eps}

When /usr/bin/vi is exec'd, it is given (in addition to its inherited capabilities) the capabilities given by

$\displaystyle \begin{matrix}
F & \overset{\bar{.}}{\longrightarrow} &
\frac {F...
...&
\texttt{/usr/bin/} & \longrightarrow &
\text{capabilities set}
\end{matrix}$

If it wants to access, say, /etc/fstab, the following operations are done :

$\displaystyle \begin{matrix}
F & \overset{\bar{.}}{\longrightarrow} &
\frac {F...
... &
\texttt{/usr/bin/} & \longrightarrow &
H_{\texttt{/usr/bin/}}
\end{matrix}$

Now that we obtained $ H_{\texttt{/usr/bin/}}$, we can carry on :

$\displaystyle \begin{matrix}
F & \overset{\tilde{.}}{\longrightarrow} &
\frac {...
...ightarrow} &
\texttt{/etc/} & \longrightarrow & \text{permissions}
\end{matrix}$


next up previous contents
Next: Inheritance Up: Access lists Previous: Access lists   Contents
Biondi Philippe 2000-12-15