8. The Means of Cybersecurity: Access Control 203 To implement authorization, OSs are organized around subjects and objects. Subjects are the actors in a computer system. They include users, groups, and processes. Objects are the resources on a computer, including files,directories, and programs. Objects are acted upon by subjects. Non-human users, called system users, are needed to take actions on behalf of the OS. System users are not assigned a password and are not for logging in to the computer. They are managed by the OS. For example, a system user might trigger an antivirus program to run on a set schedule to scan for malware. In most OSs, when a program runs, it runs by default with the permission of the user that started it—this is called delegation. So, if the antivirus program needs to read all of the files in the system, then the system user that starts it must have permissions to read all the files, too. In some OSs it is also possible to override delegation and have a program run with the permissions of the user that owns the program instead of the permissions of the user that started the program. All of the permissions in an OS can be recorded in a permissions matrix (see Table 8.2). A permissions matrix captures all the permissions subjects have on objects. If every subject and object is listed in the matrix, then it would detail every possible interaction. The columns in a permissions matrix are the subjects and the rows are the objects. The intersection of a row and column records what permission the subject has on that object. Table 8.2 Example Linux-style permissions matrix. Linux OSs employ a basic read, write, and execute permissions model (abbreviated RWX, respectively). Read is the view permission, write is the modify permission, and execute is the permission to run a program or script. It does not make sense to have an execute permission on an ordinary text file because it cannot be run, but users do need execute permissions for programs and scripts. Permissions have different meanings for files and directories. A directory is a container for files and is sometimes called a folder in the Windows OS since it is represented by a folder icon. The read permission for a directory means a user can see the files and subdirectories within it, the write permission means the user can create files and subdirectories within it, and the execute permission means a user can change directories into it with the cd command.
RkJQdWJsaXNoZXIy MTM4ODY=