INVITATION TO CYBERSECURITY 202 8.2 Authorization Once a person has been authenticated, the system is able to associate the user with data and activities. This makes authorization possible. Authorization is permitting or denying access to a resource. Authorization asks the question, “Now that I know who you are, are you allowed to do that?” For example, when a user tries to open a file, the operating system (OS) needs to verify the access that the user has for that specific file, and then permit or deny the request. 8.2.1 Operating Systems On a computer system, permissions are set and enforced by the OS. The person who owns a computer typically has the highest level of user privileges available. For Windows machines, this is called administrator access, and for Linux and Mac machines, it is called root access. Users with this level of access are able to take any available user action. Typical actions on a computer system include creating, updating, and deleting files and users, installing, running, and deleting programs, modifying system configuration settings, and assigning permissions to other users. Users issued computers from their employers for work typically do not have administrator access, preventing them from changing certain settings or installing programs for security reasons. Some computers, like the computers in a computer lab, have multiple users. Different users might have different permissions on the computers. For example, Alice might have full permissions over files in her home directory but be unable to view the files in Bob’s home directory, and vice versa. Most OSs that run on personal computers implement discretionary access control (DAC). In these systems the OS allows users to assign permissions to other users. For example, a user that creates a file could allow or restrict other users from viewing or modifying the file. Users can be associated with other users through groups. A group is a collection of users. Groups can be assigned permissions just like individual users, and all of the users in a group share the same permissions. For example, for a university’s introduction to programming class, all of the students could be given user accounts on a Linux computer, allowing them to write, compile, and run their programs. Rather than setting their permissions one-by-one, the instructor could add all the students to a student group. The student group could then be given permission to view all of the files in the instructor’s labs directory, but not permissions to modify the files. When a student clicks on a lab file, the OS checks the permission, sees that the user is in the student group, and serves the file to the student as read-only—this means the student can read but not modify the file. Instructors for the class could be added to a teacher group. The teacher group could have read and write privileges for the lab directory as well as the answer key directory. A failure of access control would occur if a student is able to modify a lab or view an answer key file.
RkJQdWJsaXNoZXIy MTM4ODY=