关键词: 角色定权框架 特权 能力 能力状态 最小特权

Abstract:

In this paper we fully design and implement the capability mechanism conforming to the draft specification Posix1003. 1e on the role-based authorizati on framework of the Kylin operating system. And also we introduce the conception of role capability and user capability. By the design we can practise t he least privilege efficiently in the system, such as privilege partitioning, controlling setuid and setgid programs as well as restricting daemon progr ams. Thus in the system there are no superusers any more, and their functions are divided into several administrators; each process only has the privile ge required to finish its tasks, which can prevent the abuse of orivileges and increase system security greatly.

Key words: role based authorization framework, privilege, capability, capability state, least privilege