Many operating systems have built‑in access control, using one technique or another. IBM's z/OS, a well‑established and mature mainframe operating system, includes the System Authorization Facility (SAF)—a set of calls issued by the operating system itself to verify a user's authorization.
Access control software in an z/OS environment sets a return code for the SAF call and z/OS grants or denies access according to the code. The decision of what return code to set is based on the access rules and policies defined in the security database by the security administrator.
Other operating systems, such as OS/2, provide similar techniques for access control. The OS/2 access control module, called Security Enabling Services (SES), is based on the same concept as z/OS SAF.
Unfortunately, UNIX‑based operating systems were not designed this way. Authorization decisions are made mainly for file accesses and are performed by the operating system itself using the nine bits (rwx‑rwx‑rwx) in the file's inode entry. Unlike SAF, no exit point for event interception is provided. Therefore, further security is necessary to perform functions that are more complex than those of mainframe‑type security packages.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|