Table of contents
(1) Realize file sharing based on directed acyclic graph
1.1 - Directed Acyclic Graph DAG (Directed Acyclic Graph)
(2) Use symbolic links to realize file sharing
(1) Protection Domain and Access Rights
2.2 - Access matrix with domain switching rights
(3) How to modify the access matrix?
(4) How to implement the access matrix?
1. File sharing
In modern computer systems, means of file sharing must be provided, that is, the system should allow multiple users (processes) to share the same file. This way, only one copy of the shared file needs to be kept on the system . If the system cannot provide the file sharing function, it means that all users who need the file must have their own copies of the file, which obviously will cause a great waste of storage space . //File sharing can save storage space, only one copy is needed for shared files
(1) Realize file sharing based on directed acyclic graph
1.1 - Directed Acyclic Graph DAG (Directed Acyclic Graph)
In a strict tree structure directory, each file is only allowed to have one parent directory , and the parent directory can effectively own the file. If other users want to access it, they must access the file through its owner directory. That is to say, the sharing of files is asymmetrical, or in other words, the tree structure directory is not suitable for file sharing . //Tree structure child nodes only allow one parent node
Improvement: If a file is allowed to have multiple parent directories , that is, multiple directories belonging to different users point to the same file at the same time, although it will destroy the characteristics of the tree, these users can share files in a symmetrical way, and It is no longer necessary to access through its home directory. // Allow child nodes to have multiple parents for file sharing
The figure below shows a directed acyclic graph that allows each file to have multiple parent directories. As shown in the figure, file F8 has three parent directories, which are D5, D6 and D3, among which D5 and D3 also use the same name p, and directory D6 has two parent directories D2 and D1.
We know that when multiple users want to share a subdirectory or file, the shared file or subdirectory must be linked to the parent directory of multiple users to find the file conveniently.
Now the question is, how to establish the link between the parent directory D5 and the shared file F8?
If the file directory contains the physical address of the file , that is, the disk block number of the disk block where the file is located, then the physical address of the file must be copied to the D5 directory when linking. However, if D5 or D6 continues to add new content to the file in the future, it must also add new disk blocks accordingly , which are completed by the additional operation Append. And these newly added disk blocks will only appear in the directory where the operation has been performed . // If D5 adds content to file F8, the newly added content will only be saved in D5 and will not be shared by D6 and D3
It can be seen that this change is invisible to other users, so this newly added content cannot be shared .
1.2 - Using index nodes
In order to solve the problem that the new content cannot be shared, the index node can be referenced , that is, the information such as the physical address of the file and other file attributes is no longer placed in the directory entry, but placed in the index node . Only the file name and the pointer to the corresponding index node are set in the file directory . // no longer the physical address of the file
At this time, the Append operation or modification performed by any user on the shared file will cause changes in the corresponding node content (for example, adding a new disk block number and file length, etc.), and these changes are visible to other users , which can also be provided to other users for sharing.
// When deleting a shared file in this way, if no special processing is performed, a dangling pointer will appear, because the shared directory has the index node of the file
(2) Use symbolic links to realize file sharing
The basic idea of using symbolic links to realize file sharing also allows a file or subdirectory to have multiple parent directories, but only one of them is the main (owner) parent directory , and the other parent directories are connected to each other through symbolic links. (referred to as the link parent directory).
The biggest advantage of this is that the owner structure (the structure connected by solid lines) is still a simple tree , which is more convenient for file deletion and search. //Retain the tree structure of the file structure
So, how to use symbolic links to achieve sharing?
In order to enable the link parent directory D5 to share the file F8, the system can create a new file of type LINK , also named F(8), and write F(8) into the link parent directory D5, so as to achieve D5 and file Link to F8. Only the pathname of the linked file F8 is contained in the new file F(8) . Such a link method is called a symbolic link . //Use the Link file to share
Pathnames in the new file F(8) are treated as symbolic links only . When the user accesses the linked file F8 through D5 and is about to read a new LINK file, this request will be intercepted by the OS, and the OS will find the file F8 according to the path name in the new file, and then read (write) it. In this way, the sharing of the file F8 is realized. //Only the path name in the symbolic chain, use the link file as the carrier
The advantage of the symbolic chain method: when using the symbolic chain method to realize file sharing, only the file owner has the pointer to its index node; while other users who share the file only have the path name of the file, and do not own the index pointing to it A pointer to the node. Like this, also just can not happen to leave the situation of a dangling pointer after the file owner deletes a shared file . When the owner of the file deletes a shared file, if other users try to access a deleted shared file through the symbolic link, the access will fail because the system cannot find the file, and then the symbolic link will be deleted , which has no effect at this time. // will not generate a dangling pointer
The problem of the symbol chain method: when reading a shared file, the system searches the directory one by one according to the given file path name until the index node of the file is found. Therefore, each time a shared file is accessed, it may be necessary to read the disk multiple times . This makes each file access expensive and increases the frequency of booting the disk. In addition, it is necessary to establish a symbolic link for each shared user, and since the link itself is actually a file, although the file is very simple, it is still necessary to configure an index node for it, which also consumes a certain amount of disk space . //Read disk multiple times + consume disk space
2. File protection
The main factors that affect file security are:
- human factor . People's intentional or unintentional actions will cause the data in the file system to be damaged or lost.
- System factors . The damage or loss of data due to abnormal conditions in some part of the system, especially the disk as the main medium for data storage, once it fails, it will have inestimable impact.
- natural factors . Data stored on disk will gradually disappear over time.
In order to ensure the security of the file system, three measures can be taken for the above reasons:
- Prevent file insecurity caused by human factors through the access control mechanism.
- Adopt system fault-tolerant technology to prevent file insecurity caused by system failure.
- Establish a backup system to prevent insecurity caused by natural factors.
(1) Protection Domain and Access Rights
Access right: The right of a process to perform operations on an object is called access right. Each access right can be represented by an ordered pair (object name, right set) . For example, if a process has the right to read and write the file F1, the access right of the process can be expressed as (F1, { R/W}) .
Protection domain: "Domain" is a collection of access rights of a process to a set of objects , and the process can only perform operations within the specified domain. In this way, the "domain" also specifies the objects that the process can access and the operations that can be performed. // access rights -> protection domain
Two protection domains are shown in the figure below. There are two files F1 and F2 in domain 1, and only the process is allowed to read F1, but to read and write to F2; and the object Printer1 appears in domain 1 and domain 2 at the same time, which means that the processes running in these two domains process can use the printer.
Static domain: There can be one-to-one correspondence between processes and domains, that is, a process is only associated with one domain. This means that the available resources of a process are fixed throughout its lifetime, and we call this domain a "static domain" . In this case, the entire process that the process runs is restricted to the same domain, which will give the process more access rights than it actually needs . For example, a process needs a tape drive to input data at the beginning of the operation, and needs to use a printer to print data at the end of the process. In the case that a process is only associated with one domain, the two objects of the tape drive and the printer need to be set in the domain at the same time, which will exceed the actual needs of the process. // fixed protection domain
Dynamic domain: Between processes and domains, there can also be a one-to-many relationship, that is, one process can be associated with multiple domains. In this case, the operation of the process can be divided into several stages, and each stage is associated with a field, so that the objects that can be accessed in each stage of the process can be specified according to the actual needs of the operation . //Need to add protection domain switching function
This one-to-many contact method is called dynamic contact method. In the system adopting this method, the protection domain switching function should be added so that the process can switch from one protection domain to another protection domain in different operation stages.
(2) What is an access matrix?
2.1 - Basic Access Matrix
The matrix used to describe the system access control is called the access matrix (AccessMatrix) . The rows in the access matrix represent domains , the columns represent objects , and each item in the matrix is composed of a set of access rights .
Access rights in the access matrix are usually determined by resource owners or managers. When a user creates a new file, the creator is the owner, the system adds a column for the new file in the access matrix , and the user decides which access rights should be given in one item of the column, and which access rights should be given in another item. What access rights do you have. When the user deletes this file, the system should correspondingly revoke the column corresponding to the file in the access matrix.
2.2 - Access matrix with domain switching rights
In order to realize the dynamic relationship between processes and domains, it is necessary to switch processes from one protection domain to another. //Purpose
In order to be able to control the process, switching should also be regarded as a right, and this switching can only be performed when the process has the right to switch. For this, several more objects (switch fields) are added to the access matrix .
For example, in the figure above, because there is an S in the project corresponding to domain D1 and D2, which means Switch, the process in domain D1 is allowed to switch to domain D2. Similarly, a process running in domain D2 can switch to domain D3, but the process is not allowed to return from domain D3 to domain D1 or D2. // No Switch, process switching protection domain is not allowed
(3) How to modify the access matrix?
3.1 - Copy Right
Copy rights can be used to extend the access rights held in one domain to other domains.
In the figure above, anything with an asterisk (*) on an access right indicates that a process running in a domain can replicate its object's access to the same object in any domain. //Add *, the access right allows copying
For example, in the figure, the * sign is added to the write access right of file F3 in domain D1, which means that the process running in domain D1 can extend its write access right to file F3 to domain D3. Similarly, in The same goes for read access to file F2 in domain D2.
It should be noted that after copying the copy rights marked with * to the new domain, the established access rights will no longer have the sign of * , which makes it impossible for the process running on domain D3 to spread its copy rights , this copying method is called restricted copying .
3.2 - Ownership (Owner Right)
Sometimes it is not only required to control the spread of existing access rights, but also to increase or delete certain access rights . At this point, ownership (O) can be utilized to implement these operations.
A process running in the domain that owns the file can delete or add access to that file in other domains. //The owner of the file can make various modifications to the access rights of the file
3.3 - ControlRight
Both copy rights and ownership are used to change the access rights of the same column in the matrix, or to change the access rights of processes running in different domains to the same object . //Modify the data in a column
The control right can be used to change the access rights of the same row (in the domain) in the matrix , that is, to change the access rights of the processes running in a certain domain to different objects. //Modify the data in a row
(4) How to implement the access matrix?
4.1 - Access Control List
Divide the access matrix by columns (objects) , and create an access control list ACL for each column . In this table, all empty items belonging to this column in the matrix have been deleted . At this time, the access control table is composed of an ordered pair (domain, right set). Since in most cases, there are far more empty items in the matrix than non-empty items, the use of the access control list can significantly reduce the occupied storage space and improve the search speed . //Divided by column, one file and one table
In many systems, when the object is a file, the access control list is stored in the file control table of the file , or placed in the index node of the file, as the access control information of the file .
The access control list can also be used to define the default access right set , that is, the default access right set of each domain to an object is listed in the table . After this table is configured in the system, when a user (process) wants to access a resource, the system usually goes to the default access control table to find out whether the user (process) has access to the specified resource. power. If you can't find it, go to the access control list of the corresponding object to find it. //The default access permission is the default access permission
4.2 - Capabilities table
If the access matrix is divided into rows (ie domains) , each row can form an access authority table . In other words, this is a table of the set of operations that a domain can perform on each object . Each item in the table is the domain's access right to an object. When the domain is a user (process) and the object is a file, the access permission table can be used to describe a group of operations that a user can perform on each file. //Divided by row, one field and one table
At present, most systems use access control lists and access authority lists at the same time , and configure an access control list for each object in the system. When a process tries to access an object for the first time, it must first check the access control list to check whether the process has access to the object. If there is no right to visit, the access of the process is rejected by the system, and an exception (abnormal) event is formed; otherwise, the process is allowed to access the object, and an access right is set up for the process, and it is connected to the process .
Later, the process can directly use the returned authority to access the object, so that the legitimacy of its access can be quickly verified. When a process no longer needs access to the object, that access can be revoked.