Access Control List (ACL) Implementation Project
Overview
This will be the third assignment that will be given to the students. This project is intended to make them understand the concept of the ACL mechanism, which has been taught in the class. ACL is used to manage access control lists (ACL’s) for file system objects. ACL’s contain additional permissions on a per user basis which override the standard MINIX permissions. For this exercise you have to extend the MINIX file system with access control lists. These allow you to specify access permissions on a per user (principal) basis, rather than the current owner-group-other protection method. ACL’s generally provide better security because they allow finer grained access control. The super user has the same special privileges for file system objects with an ACL as in the normal protection scheme. The privileges are an extension of the normal rules, and are summarized as follows:
- Root has read and write access on all file system objects.
- Root has execute access on all directories.
- Root has execute access on all file system objects other than directories, if at least 1 entry in the ACL has the x-bit turned on, or if one of the x-bits in the normal protection bits is turned on.
For example, consider the /etc/passwd file with the following ACL: (note: there is a space after the “colon” and “rwx” bits, this IS required)
san: ---
bob: r--
alice: rw-
mike: rw-
*: r--
For the ACL permissions we use the normal MINIX file permissions, i.e. r for read, w for write, and x for execute. The ACL listed above specify that the user ast has no rights and has therefore no access to the file. The user bob can read it, while alice and mike have the ability to modify the file. Everybody else can only read the file. A special default permission is used when the user id doesn't match any in the list. This is depicted by the special user name ``*''.
Project Requirements
These are the project requirements for the ACL lab. I have posted the set of requirements in the webpage and also please refer to the class notes on ACL and why they are said to be so crucial. I would want to see a working demonstration of the ACL implementation. (Note: if all the requirements are not satisfied, grades will be based on what you demonstrate)
Requirement 1: You have to modify the file system to support ACL’s and also write a program, which allows the user to manage the ACL’s.
(HINT: aclname [user], aclname user permissions, To set an ACL, a user name and permissions have to be specified. The user name is either an ordinary MINIX user name or the special wildcard character ``*''. The later one denotes any user. This ACL is used for permission checks when no other ACL matches. ACL operations on a file system object that doesn't have an ACL return an error.)
Requirement 2:
Your program implementation should use the following criterion: when no ACL is defined for a particular uid, the default ACL should be used. In case there is no default ACL you should use the normal file permissions stored in the i-node.
(Hint: please see the inode table to check how the entries are mapped to it)
Requirement 3:
Your program implementation should show the following:
- Print the ACL list for some users you define.
- Create a single default ACL that is different from the file permission bits.
- Create ACL’s for different users with different modes.
Time Frame for each tasks:
I have enlisted the time frame that may take for finishing each of the tasks. This will serve a deadline for each and every student. (note: time may vary for each student, depending on their programming expertise)
Implement and satisfying the first requirement completely (20 - 25hrs)
Implement and satisfying the second requirement (15-20 hrs)
Implement and satisfying the third requirement (20-25 hrs)
Some Useful Links for the ACL project:
I have added some useful files and reading materials on ACL’s, that may be helpful, feel free to use them as a reference
Documents: (note: YOU NEED GSVIEW to view the PS Files)
- Important Source Code listing in Minix
- Good Paper on ACL [PDF]
- Operating systems Design And Implementation Text Book – A. Tanenbaum and A. Wood hull
Reading:
- Please read materials on MINIX system call: open (), I-node, ACL