IntroSec

Added access control chapter.

1 files changed, 40 insertions, 2 deletions

diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md
index d1ce4fb..947b427 100644
--- a/en_GB/Introduction to Information Security/introduction_to_information_security.md
+++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md
@@ -179,7 +179,8 @@ Frequency of failing to extract a feature of a sample.
 
 #### Failure-To-Acquire Rate (FTA)
 
-Frequency of failing to acquire a biometric feature.  
+Frequency of failing to acquire a biometric feature.
+
 $$
 \text{FTA} = \text{FTC} + \text{FTX} \times (1 - \text{FTC})
 $$
@@ -198,7 +199,8 @@ $$
 
 #### False Positive Identification Rate (FPIR)
 
-Probability of some sample to match at least one of the entries in the database.  
+Probability of some sample to match at least one of the entries in the database.
+
 $$
 \text{FPIR} = (1 - \text{FTA}) \times (1 - (1 - \text{FMR})^{n})
 $$
@@ -212,6 +214,42 @@ $$
 
 Using a biometric scheme with $\text{FMR} = 0.01\%$ and a database of size $\text{n} = 80000$ results in $\text{FPIR} = (1 - 0) \times (1 - (1 - 0.0001)^{80000}) = 99.97\%$.
 
+## Access Control
+
+| Role | Description |
+| --- | --- |
+| User | The actual human. |
+| Principal | The user identity on the system instructing a process to request access. |
+| Subject | The active process on the system requesting access. |
+| Object | The resource access requested to. |
+
+### User Identities
+
+*User Identities* in Linux are stored in `/etc/passwd`. A typical `/etc/passwd` entry looks like this:
+
+```
+root:69geDfelkw:0:0:root:/root:/bin/bash
+<user>:<password>:<user id>:<primary group id>:<id string>:<home>:<shell>
+```
+
+`/etc/passwd` is world readable. It contains mainly user indentity information. Password related data (expiry data, issue date, etc.)
+is stored in `/etc/shadow`, and can only be written to there. It is readable only by root.
+
+### UIDs / GIDs of processes
+
+Processes have a *real* and an *effective* UID/GID pair.  
+The real pair is inherited from parent process. The effective pair is applied from current file being executed.
+E.g. `su` changes real pair from current user to effective pair of root.
+
+### Security Patterns
+
+#### Controlled Invokation
+
+User might want to use a file, but design does not permit users to read that file.
+In that case, there could be a program the user has execute rights on, containing checks guaranteeing safe resource access.
+Those programs are called *set UID* (SUID) and *set GID* (SGID) programs. They set the *effective UID/GID pair* to the ones required
+to access the file (they might have to be created) and reset them on exit. Be careful with *SUID to Root* programs!
+
 ## Encryption
 
 ### Kerckhoffs' Principle