| Discretionary Access Control (DAC) is one of the most common security mechanisms in the secure operation system, which has a fundamental that a user can discretionarily decide who can access his own files, based on the entity authentication. However, in Linux, a super-user is unrestricted because of its full privilege so that the file owner could not completely control the access authorization of the file.To address this problem, on the strength of deep analysis of current access control checking and with Access Control List (ACL) and capabilities-controlling mechanism,a new mechanism called Strict Access Control (SAC) is proposed. This mechanism ensures that super-users should obtain the file owner's legal authorization to access the file via restricting the privilege overriding DAC checking. In practice, however,restricting the privilege overriding DAC checking completely may bring some problems for system running.To the deficiency of SAC, this paper brings forward a User-List-based Strict Access Control (ULSAC). Users can decide whether it can be implemented or not and which files need to be strictly protected by a user-file list for users who carry on strict access control in operating system kernel. Meanwhile, a special configuration management tool for the user-file list is created, and users can manage the user-file list only via this tool.Ultimately, this paper uses the KTE strategy in Kylin to protect the user-file list and to prevent users from illegally operating others'file linked lists. Moreover, it shows process of realization of the project and simulates a functional test for strict discretionary access control.The research in this paper plays a significant role in practice. In Kylin, by implementing strict access control mechanism, file owners can completely control the access authorization, and any other user cannot access the files if these users do not get the file owners'discretionary authorization. |
PDF Full Text Request