Recall from last lecture, access right control requires P*R*M bits to store access control, which is difficult to administer and audit. Several improvements can be made to simplify access control.

• Traditional Unix: Reduce the Principle axis to 3 items: user, group and others; and reduce the number of access modes to read, write and execute, effectively making amount of information to manage scales linearly with amount of resources only.
  
  Note that in the original Unix model, each user can be in only 1 group. In BSD, each user can be in multiple groups.
  
• Access Control List (ACL): Found in Windows NT, Solaris and Apache. The owner of a resource can specify the list of principles and their accesses. For example:
  

  $ getfacl .
  # file: .
  # owner: truongd
  # group: csugrad
  baron::rwx
  khoale88::r-x
  user::rwx
  group::--x              #effective:--x
  mask:rwx
  other:--x

  Benefits: we can control the groups, but we don't have to include every principle in a resource.
  ACL has one problem, though. Suppose I am root, inspecting the system. I cd inside a bad guy's directory, then do ls. If PATH contains ".", and that directory contains the bad guy's version of ls, we will be running bad code as root. Simply inspecting the system can be fatal.
  
• Role-based Access Control (RBAC): The idea: Created as a solution to the problem with ACL. It replace the Principle axis with Roles. With RBAC, there's a table to assign roles for each user, thus there are limited roles.
  The downside of RBAC is that its implementation is complicated.
  

Mechanisms for enforcing access control:

• With ACL: each resource has an ACL (controlled by the OS) attached to it. All accesses are mediated by the OS, generally via syscalls.
  
• Capability-based: each principle has a "RCL" (set of capability)
  Difference from ACL-based: the access rights are attached to the principle instead of the resource. This can be accelerated by hardware.

From an OS point of view, it generally does not trust any appication, because it doesn't trust users, and applications run on behalf of users. Recall the whole purpose of interrupts and virtual memory.

However, some programs has to be trusted, for example, "login".

Implementation of login using a setuid() system call: change user ID of the current process. Only root can call setuid. This created a problem: normal user cannot call "login" to run a program as another user from the command line.

To solve this, we invented a 'setuid' bit, that the executable will run as the owner of the file instead of the current user. The software that is setuid'ed should be well-written! A rule of thumb is that we do not trust large software.

In the article Reflections on Trusting Trust by Ken Thompson, he proved that we cannot trust no one.

How do I trust login? Answer: suppose I am using RedHat linux and I trust RedHat. I get a checksum of "login" from RedHat. I compute the checksum of the vesion of "login" I have and make sure they match.

How does RedHat trust its "login"? Answer: It is a simple code. They read it through and make sure it is perfect.

Is that enough? What if login.c is ok, but gcc is corrupted and is producing buggy code? Answer: We read gcc.c code then recompile it.

What if gcc.c is ok, but your version of gcc binary is corrupted? Then you cannot even recompile gcc.

The moral is: you always have to trust someone.