2011-10-31

types of access constraints

10.5: todo.adda/types of access constraints:
. {rom, wom, xom, xwm} could be the keywords for the
various types of access constraint for
read-, write-, execute-, and write&execute- only-memory .
. instead of having any combo of rwx,
consider that an execute priv'
implies a read priv' .
. the original unix way had in mind
-- in addition to the self, group, world groups --
a sort of 4th group: executives
those whose activities depended upon
what file they opened .
other ideas:
. when does the system need an exe'able permission?
. if that app is an executive,
then it can execute any type it recognizes as exe'able .
todo:
. review previous ideas of
how an obj's name can include access types;
(just as it includes its datatype);
eg, f.txt mean obj"f is type"txt,
so then how does its name explain
access constraints such as (rom vs rwm)
and (in vs out) param types ?

10.21: adda/types of access constraints/intro:
. the fundamental operation of unix
revolves around this:
a user with privilege status of
{owner, member of owner's group}
is applying an app to a file,
if the app and file permissions permit it .
. a file may be located in
either a private or public space:
a private space is usable by
whoever has the owner's key .
. the key holder claims self belongs to a group;
and other users can belong to the same group .
. files can grant separate permissions for
{ owner (what the keyholder can do)
, in-group (what the owner's group can do)
, in-others (what anyone can do)
}.
. an executive is a special type of app
that uses its input data
as the source of instructions it will follow
including the decision of
what it will affect on the computer;
whereas non-exec's will decide their behavior
only from their constant program code,
along with their memory of their previous behavior,
and changes in the machine's state .
. most of these non-exec's are just editors,
affecting at most the files they are given,
some private mem, and the screen buffer .
. files should be tagged executable {xom, xwm}
only if their data is suitable for
instructing some executive .

. a user can be thought of as being
a sort of executive app .
. the user's actual executive power
is determined by which group of app's
the user is allowed to execute
which in turn is determined by
the executive apps' file permissions
and whether the file considers the user
to be {owner, in-group, others}.

. executives can be calling other executives,
just as the user calls them,
so, suppose a called executive
is considered to have the same priviledge
as the {executive, user} that called it;
then, a human user could run a public app,
and when that app tries to access
the user's private files,
this would be allowed .

. the exe'able permission is saying
that if you are an executive
you can read this even if
your caller doesn't have read permission;
likewise,
having a read permission is saying:
you can read this regardless of
whether you're an executive or not .

. so, all of that was the typical
unix permissions scheme;
an alternative is capability based security:

. an app can only access
the files that are within the folders that are
listed in the app's capability descriptor .
. file's and folders, too,
can have a capability descriptor
that can override any app's capabilities .