I l @ ve RuBoard |
Program isolation is one method of controlling program authorizations by limiting the scope of access. It is an important step in keeping programs secure. UNIX Protected SubsystemThe UNIX protected subsystem is a process of isolating a software system through the utilization of group permissions. A protected subsystem is a group of programs which provide a particular service or group of related services that require more authorization for access to data files and devices than those of the users who need the service. For example, the mail and printing systems on most UNIX systems are implemented as protected subsystems. Each protected subsystem has its own user ID and group ID used only by its programs and files. The protected files and devices allow no access except through the group permissions bits and the programs all run with their effective group ID set to the subsystem group ID. No users are allowed access to the group used by a protected subsystem. The following steps will create a protected subsystem.
All parts of the protected subsystem need to be in directories with sufficient protection so that the files which are part of the protected subsystems cannot be altered or their permissions altered . chroot EnvironmentThe chroot environment is a method of isolating a software system by creating a separate directory tree for each system to reside. The chroot forces the process to view the sub-tree as the root file system. Software which runs in a chrooted environment has no access to the system outside the chroot directory tree. The following steps produce a chroot environment.
|
I l @ ve RuBoard |