Protection mechanism:

Protection domain:

A computer system cosist of a set of objects, that may be accesses by the process.
An object can be either a hardware (cpu, memory segment and printer ) or software (file,
database or program).
Each object is referred by unique name and and it aceess by some pre-defined operation.
Since object is a basic component of computer system , a mechanism is required to
ensure that a process can access only those object which it has permission
Concept of protection mechanism protection domain is used :
A domain is a collection of access rights where each acess is a pair of
<object name, right_set>
The object_name is the name of object and right_set is the set of rights. (that a process is
permitted to perform on object)
Ex:
Domain D with acess rights <A,[R,W]>-means any process in domain D can perform
read and write on Object A
Also Domain D1 is disjoint and D2 and D3 are sharing object <C ,print>

<A,[R]>, <A,[W,E]> <B,[R,W]>,

<C,[print]>
<D,[R,W]> <D,[E]>
<B,[E]>
D1 D2 <D D3

In<domain D1 can only read a object , while In domain D2 process can write and
execute for object A .
Also , a process in either od D2 and D3 can print the object C

ACL:

Stands for "Access Control List." An ACL is a list of user permissions for a file, folder,
or other object.
Access control list (ACL) refers to the permissions attached to an object that specify
which users are granted access to that object and the operations it is allowed to perform.
File system ACL is a data structure that holds entries that specify individual user or group
rights to system objects such as processes, files and programs.
These entries are referred to as access control entities. Each system object is associated
with a security attribute that identifies its access control list.
It defines what users and groups can access the object and what operations they can
perform. These operations typically include read, write, and execute.
For example, if an ACL specifies read-only access for a specific user of a file, that user
will be able open the file, but cannot write to it or run the file.
 It can be changed by chmod() commands
The ACL has an entry for each system user that defines the user's privileges, such as
reading a file, writing to a file or executing a file.
When a subject requests an object in an ACL-based security model, the OS initially
checks the ACL for an applicable entry to decide whether the requested operation is
authorized.
The ACL model is applicable to both individual entities and the collection of objects
within the system hierarchy.
This is effective but number of users keep changing their access control list so , it will be
complicated.
So this ACL is classified in category:
o Owner: the user who created a file.
o Group: A set of user who need similar type permission for sharing the fiele is a
group.
o Other/universe: all the other user in the system from universe.
The owner has a full access of a file(r,w,x), where a group has only read and write
permission but can not delete or execute a file. Others can only read a file not allowed to
perform other operation
In unix it will use 9bits to use the protection mechanism
o -rwx all bits are set (full permission)
o -rw- only read and write permission.
o .-ronly read permission
Permission can be set by admin or file owner.