University of Phoenix
Introduction to Operating Systems
June 30, 2013
File Access Paper
When working with UNIX file management there are two ways in which to secure your files and only allow access to the individuals that need it. Included in the base implementation of UNIX from a very early iteration is basic access control. “Each user is assigned a unique user identification number” (Stallings, 2012, p. 558), and then assigned to a primary group. A user can also be a part of other groups as well, however, will always have a primary group assigned.
The base access control of UNIX is heavily dependent on the user id as the access request always checks the user id against the 12 security bits assigned to each file. The first 3 bits are the user bits, followed by the group bits, and then the other bits. The final 3 bits are assigned to set user ID and set group ID, followed finally by the sticky bit. The sticky bit, although never used in file access anymore, is important when used on a directory, as it tells the OS that the files in the directory can only be executed or modified by the users specified on that file and not inherited from the security of the directory.
The base scheme was fine when dealing with smaller system that only had a few users with basic access restrictions across only a few files. However as these systems grew over time, the restrictions on how many permissions could be set for any one file or directory quickly were hit and a newer more nimble system was needed. Thus Access Control Lists were born. In addition to being able to scale much larger than traditional UNIX file access, it added some capabilities to the mix as well. It adds a group class that represents the highest permissions that can be set to users and/or groups, other than the owner of the file. Also, “Additional named users and named groups may be associated with the file, each with a three-bit permission field. The permissions listed for a named user or named group are compared to the mask field. Any permission for the named user or named group that is not present in the mask field is disallowed.” (Stallings, 2012, p. 560).
With all of that information behind, let’s take a look at a system that has the 5,000 users. The administrator of said system would like to allow all but 10 users access to a particular file. The admin would first and foremost run an aclget command on the file first to determine what the current permissions are. This would also let the administrator know who the owner of the file is. Next, the administrator would create a group with the groupadd command. This group will be identified later as the group with access to the file. To do this, he would issue the usermod command on each user, ensuring that he used the “–G existing_group” modifier so that