An Operating Systems Vade Mecum

196 File Structures Chapter 62.1 A formal model of access controlOur formal model deals with subjects, which are the entities that wish to access data, andobjects, which are the units of data that may be accessed. For our purposes, the subjectsare users (or processes acting on their behalf). Subjects can be represented by useridentifiers, which are associated with all the processes running on behalf of a particularuser. The objects we will deal with are entire files. We will not deal with access controlon a finer grain than entire files, although database applications often impose controls onthe record or byte level of granularity. We will allow a process to access either a wholefile or none of it.The formal model of subjects and objects can be applied to other situations besidesfile systems. For example, one can describe the scope of identifiers in a Pascal programby considering procedures as subjects and identifiers as objects. As a second example,one can describe the interplay of a community of cooperating processes by lettingprocesses be both subjects and objects.In each of these subject-object worlds, individual objects may have several accessmodes. Files can be read or written. (A more complete list will be presented shortly.)Identifiers can be invoked (if they are procedures), read or written (if they are variables),only read (if they are constants), or applied to new declarations (if they are types).Cooperating processes can be asked to perform different tasks, depending on the programthat the process is running.Our formal access model will allow us to specify which access modes are allowedbetween each subject and each object. In the file world, for example, Mary Smith maynot care who looks at her histology notes (mode = read) as long as only she can modifythem (mode = write). But she doesn’t want anyone else even to look at her thesis, exceptpossibly her adviser. Her mail file should be available for people to add messages (mode= append) but not to overwrite in the middle and certainly not to inspect.We will therefore determine whether to allow a given access by considering threefactors:the subjectthe objectthe access mode.To perform an access of a given mode, the subject must have the appropriate accessright. We will use the term privilege as a synonym for ‘‘access right.’’ For files, theaccess modes that might be provided include the following.Read: Derive information from the object.Write: Initialize or modify the information in the object.Append: Add new information to the object.Execute: Treat the object as a load image.Delete: Remove the object.Privilege: Modify the rights that subjects have to the object.SetOwner: Establish which subject owns the object.