• 中国计算机学会会刊
  • 中国科技核心期刊
  • 中文核心期刊

J4 ›› 2006, Vol. 28 ›› Issue (2): 104-106.

• 论文 • 上一篇    下一篇

在角色定权框架下实现能力机制

陈松政 何连跃 罗军   

  • 出版日期:2006-02-01 发布日期:2010-05-20

  • Online:2006-02-01 Published:2010-05-20

摘要:

本文基于Kylin操作系统的角色定权框架完整地设计实现了遵循Posix1003.1e规范的能力机制,并且引入角色能力和用户能力的概念。利用该机制,我们可以在系统上有效地 实施最小特权,包括分权、控制setuid和setgid程序、限制守护程序等。这样,系统中不再存在超级用户,其功能被划分到多个管理员用户之中;系统中每个进程都仅仅具有
有完成其任务所必需的特权,有效地阻止了滥用特权,大大提高了系统的安全。

关键词: 角色定权框架 特权 能力 能力状态 最小特权

Abstract:

In this paper we fully design and implement the capability mechanism conforming to the draft specification Posix1003. 1e on the role-based authorizati on framework of the Kylin operating system. And also we introduce the conception of role capability and user capability. By the design we can practise t he least privilege efficiently in the system, such as privilege partitioning, controlling setuid and setgid programs as well as restricting daemon progr ams. Thus in the system there are no superusers any more, and their functions are divided into several administrators; each process only has the privile ge required to finish its tasks, which can prevent the abuse of orivileges and increase system security greatly.

Key words: role based authorization framework, privilege, capability, capability state, least privilege