DOCSLIB.ORG

Managing File System Security 7

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 7 CERTIFICATION OBJECTIVE 4.01 Managing File System Security One of the many benefits of networked systems is the ability to quickly and easily share data across systems. However, this benefit comes at the price of security. The file system is an extremely important part of modern computers. A large amount of most organizations’ sensitive information is stored in the file system in the form of documents, images, and other pieces of data. As a systems administrator, it’s your job to ensure that these files stay secure and that only authorized users can access them. That’s where the important topic of file system security comes in. Let’s start with the most important point: If you want to implement security at the file system level, you must choose to use NTFS. The FAT and FAT32 partition types do not provide any security at all, and there’s little to stop someone from booting off a floppy and accessing all of the information on your computers. Furthermore, the only level of network security provided by FAT-based partitions is at the level of shared folders (a topic that you’ll encounter later in this chapter). With that in mind, let’s take a look at the file system security architecture of Windows Server 2003. Understanding NTFS Permissions Earlier, I mentioned that permissions are placed on objects through the use of ACLs that contain ACEs. Folders and files that are stored on an NTFS partition are treated as objects, each of which has its own unique identifier. You can protect files at the level of the file system using NTFS permissions. In Windows Server 2003, file system permissions can be applied to files and folders through the Security tab of the properties of the object. For example, to set properties on a file, you can right-click the file, select Properties, and then click the Security tab (see Figure 4-1). It’s important to keep in mind that file system security is only one part of an overall security strategy. Although NTFS permissions provide security while the operating system is running, it is possible to access this data without authorization, using a boot floppy disk and special utilities. To prevent this, it’s important to provide for the physical security of your server computers! P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 8 Chapter 4: Managing Resource Access FIGURE 4-1 Viewing security settings for a file In the Security dialog box, you’ll see a list of the users and groups for which permissions are configured. By clicking one of these items, you can view the permissions that are assigned. For each permission setting, you will see two columns: Allow and Deny. Actually, there are three possible states for each setting: You can choose to allow the permission, to deny it, or to leave it as unspecified (neither box will be checked). If the security permissions were inherited from a higher level (a topic that you’ll consider in the next section), you will see that the boxes are grayed out and cannot be changed. The permissions that are available for a file include the following: ■ Full Control This option provides full permissions on the object, including the ability to take ownership of files and to change security permissions. ■ Modify This permission specifies that users can open files and change their contents or delete them. ■ Read This permission allows users to read or open the specified file. ■ Read and Execute This permission allows users to read or open the files and to run executable programs. ■ Write This permission allows users to change the contents of existing files and to create new ones. P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 9 ■ Special Permissions (available for some objects) Through the use of the Advanced button, you can specify much more detailed permissions on specific objects (see Figure 4-2). In general, systems administrators will not need to apply permissions at this level. The Windows Help and Support Center provides details about the actual file and folder permissions that are assigned when you choose from the standard permissions. Certain combinations of permissions are not allowed for a single permission line item. For example, you cannot deny Modify permissions and, at the same time, allow Read and Execute. When you work with setting permissions using the Security tab, you’ll notice that the user interface will automatically check and uncheck boxes as appropriate. Therefore, it’s important to take the time to review your final selections before you apply them. The exact list of permissions that are available for various objects depends on the type of object and the actions it supports. For example, folders also have a permission setting for List Folder Contents. Or if you’re setting permissions on a Registry key, you will see a permission called “Create subkey” (see Figure 4-3). Later in this chapter, you’ll look at the steps that are required to assign permissions to files and folders. But first, you need to understand a few additional concepts regarding file system permissions. FIGURE 4-2 Viewing File and Folder Special Permissions settings P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:32 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 10 Chapter 4: Managing Resource Access FIGURE 4-3 Setting advanced permissions on a Registry key Understanding Inheritance In modern networked environments, file systems tend to have many thousands of files and folders. For systems administrators, this can pose a daunting challenge: How can you possibly ensure that all of these objects have the right security settings? Even harder would be setting the appropriate permissions for objects that have not yet been created (such as new files or folders). That’s where inheritance comes in. The basic rule for inheritance is that permissions that are assigned at a higher-level folder will propagate to child files and folders. This is the default behavior for files and folders in Windows Server 2003. There are two main types of permissions that can apply to objects. The first is explicit permissions. These permissions are the access control rules that are directly applied to an object. Implicit permissions, on the other hand, are access rules that are defined for parent objects and that are propagated down to the object itself (Figure 4-4 compares explicit and implicit permissions). Note that explicit permissions automatically override implicit permissions. This is even true for the Deny permissions on a parent level (an explicit allow permission will override an implicit deny). P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:33 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 Managing File System Security 11 FIGURE 4-4 Explicit vs. implicit permissions For example, if you grant Change permissions on a folder to members of the Engineering group, by default, all new files and folders created within that folder will have the same permissions. As another example, suppose you have a folder called Sales that’s used by your organization’s salespeople. All of the data in the Sales folder and its subfolders should be made available to the entire sales team. In this case, you would assign the necessary permissions at the level of the Sales folder and choose to propagate the changes to all child objects. By default, files and folders will inherit permissions from their parent objects. This is designed to make the administration of file system permissions simpler. So, if you create a new file called SalesData.xls in the Sales folder, the new file will automatically have the permissions that were applied to the Sales folder. If you attempt to remove a permissions entry on this page, you will see a warning message. When you change permissions at any level (for example a parent folder), the permission changes will, by default, apply only to that object. That is, the permissions on subfolders and files will not be modified. So, what if you really do want to set individual permissions on the SalesData.xls file, or you want to propagate the new security settings to all child objects? This is where the Advanced button on the Security tab comes in. When you click the Advanced button, you’ll see two options (shown in Figure 4-5). The check boxes at the bottom determine the inheritance behavior for this object. P:\010Comp\CertPrs8\322-7\ch04tem.vp Monday, August 04, 2003 6:47:33 PM Color profile: Generic CMYK printer profile Composite Default screen CertPrs8 / MCSE/MCSA Windows Server 2003 Environment Study Guide / Desai / 222322-7 / Chapter 4 12 Chapter 4: Managing Resource Access FIGURE 4-5 Selecting inheritance of permissions The two options are: ■ “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here”: When enabled, this option specifies that permissions assigned at higher-level objects (for example, a parent folder) will be inherited by this file or folder.
Recommended publications
  • Storage Administration Guide Storage Administration Guide SUSE Linux Enterprise Server 12 SP4

    Storage Administration Guide Storage Administration Guide SUSE Linux Enterprise Server 12 SP4

    SUSE Linux Enterprise Server 12 SP4 Storage Administration Guide Storage Administration Guide SUSE Linux Enterprise Server 12 SP4 Provides information about how to manage storage devices on a SUSE Linux Enterprise Server. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xii 2 Giving Feedback xiv 3 Documentation Conventions xiv 4 Product Life Cycle and Support xvi Support Statement for SUSE Linux Enterprise Server xvii • Technology Previews xviii I FILE SYSTEMS AND MOUNTING 1 1 Overview
  • System Calls System Calls

    System Calls System Calls

    System calls We will investigate several issues related to system calls. Read chapter 12 of the book Linux system call categories file management process management error handling note that these categories are loosely defined and much is behind included, e.g. communication. Why? 1 System calls File management system call hierarchy you may not see some topics as part of “file management”, e.g., sockets 2 System calls Process management system call hierarchy 3 System calls Error handling hierarchy 4 Error Handling Anything can fail! System calls are no exception Try to read a file that does not exist! Error number: errno every process contains a global variable errno errno is set to 0 when process is created when error occurs errno is set to a specific code associated with the error cause trying to open file that does not exist sets errno to 2 5 Error Handling error constants are defined in errno.h here are the first few of errno.h on OS X 10.6.4 #define EPERM 1 /* Operation not permitted */ #define ENOENT 2 /* No such file or directory */ #define ESRCH 3 /* No such process */ #define EINTR 4 /* Interrupted system call */ #define EIO 5 /* Input/output error */ #define ENXIO 6 /* Device not configured */ #define E2BIG 7 /* Argument list too long */ #define ENOEXEC 8 /* Exec format error */ #define EBADF 9 /* Bad file descriptor */ #define ECHILD 10 /* No child processes */ #define EDEADLK 11 /* Resource deadlock avoided */ 6 Error Handling common mistake for displaying errno from Linux errno man page: 7 Error Handling Description of the perror () system call.
  • The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics

    Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin.
  • System Calls and I/O

    System Calls and I/O

    System Calls and I/O CS 241 January 27, 2012 Copyright ©: University of Illinois CS 241 Staff 1 This lecture Goals Get you familiar with necessary basic system & I/O calls to do programming Things covered in this lecture Basic file system calls I/O calls Signals Note: we will come back later to discuss the above things at the concept level Copyright ©: University of Illinois CS 241 Staff 2 System Calls versus Function Calls? Copyright ©: University of Illinois CS 241 Staff 3 System Calls versus Function Calls Function Call Process fnCall() Caller and callee are in the same Process - Same user - Same “domain of trust” Copyright ©: University of Illinois CS 241 Staff 4 System Calls versus Function Calls Function Call System Call Process Process fnCall() sysCall() OS Caller and callee are in the same Process - Same user - OS is trusted; user is not. - Same “domain of trust” - OS has super-privileges; user does not - Must take measures to prevent abuse Copyright ©: University of Illinois CS 241 Staff 5 System Calls System Calls A request to the operating system to perform some activity System calls are expensive The system needs to perform many things before executing a system call The computer (hardware) saves its state The OS code takes control of the CPU, privileges are updated. The OS examines the call parameters The OS performs the requested function The OS saves its state (and call results) The OS returns control of the CPU to the caller Copyright ©: University of Illinois CS 241 Staff 6 Steps for Making a System Call
  • The Power Supply Subsystem

    The Power Supply Subsystem

    The Power Supply Subsystem Sebastian Reichel Collabora October 24, 2018 Open First Sebastian Reichel I Embedded Linux engineer at Collabora I Open Source Consultancy I Based in Oldenburg, Germany I Open Source contributor I Debian Developer I HSI and power-supply subsystem maintainer I Cofounder of Oldenburg's Hack(er)/Makerspace Open First The power-supply subsystem I batteries / fuel gauges I chargers I (board level poweroff/reset) I Originally written and maintained by Anton Vorontsov (2007-2014) Created by Blink@design from the Noun Project Created by Jenie Tomboc I Temporarily maintained by Dmitry from the Noun Project Eremin-Solenikov (2014) Open First Userspace Interface root@localhost# ls /sys/class/power_supply/ AC BAT0 BAT1 root@localhost# ls /sys/class/power_supply/BAT0 alarm energy_full_design status capacity energy_now subsystem capacity_level manufacturer technology charge_start_threshold model_name type charge_stop_threshold power uevent cycle_count power_now voltage_min_design ... root@localhost# cat /sys/class/power_supply/BAT0/capacity 65 Open First Userspace Interface root@localhost# udevadm info /sys/class/power_supply/BAT0 E: POWER_SUPPLY_CAPACITY=79 E: POWER_SUPPLY_ENERGY_FULL=15200000 E: POWER_SUPPLY_ENERGY_FULL_DESIGN=23200000 E: POWER_SUPPLY_ENERGY_NOW=12010000 E: POWER_SUPPLY_POWER_NOW=5890000 E: POWER_SUPPLY_STATUS=Discharging E: POWER_SUPPLY_VOLTAGE_MIN_DESIGN=11100000 E: POWER_SUPPLY_VOLTAGE_NOW=11688000 ... Open First Userspace Interface I one power-supply device = one physical device I All values are in uV,
  • Ext4 File System and Crash Consistency

    Ext4 File System and Crash Consistency

    1 Ext4 file system and crash consistency Changwoo Min 2 Summary of last lectures • Tools: building, exploring, and debugging Linux kernel • Core kernel infrastructure • Process management & scheduling • Interrupt & interrupt handler • Kernel synchronization • Memory management • Virtual file system • Page cache and page fault 3 Today: ext4 file system and crash consistency • File system in Linux kernel • Design considerations of a file system • History of file system • On-disk structure of Ext4 • File operations • Crash consistency 4 File system in Linux kernel User space application (ex: cp) User-space Syscalls: open, read, write, etc. Kernel-space VFS: Virtual File System Filesystems ext4 FAT32 JFFS2 Block layer Hardware Embedded Hard disk USB drive flash 5 What is a file system fundamentally? int main(int argc, char *argv[]) { int fd; char buffer[4096]; struct stat_buf; DIR *dir; struct dirent *entry; /* 1. Path name -> inode mapping */ fd = open("/home/lkp/hello.c" , O_RDONLY); /* 2. File offset -> disk block address mapping */ pread(fd, buffer, sizeof(buffer), 0); /* 3. File meta data operation */ fstat(fd, &stat_buf); printf("file size = %d\n", stat_buf.st_size); /* 4. Directory operation */ dir = opendir("/home"); entry = readdir(dir); printf("dir = %s\n", entry->d_name); return 0; } 6 Why do we care EXT4 file system? • Most widely-deployed file system • Default file system of major Linux distributions • File system used in Google data center • Default file system of Android kernel • Follows the traditional file system design 7 History of file system design 8 UFS (Unix File System) • The original UNIX file system • Design by Dennis Ritche and Ken Thompson (1974) • The first Linux file system (ext) and Minix FS has a similar layout 9 UFS (Unix File System) • Performance problem of UFS (and the first Linux file system) • Especially, long seek time between an inode and data block 10 FFS (Fast File System) • The file system of BSD UNIX • Designed by Marshall Kirk McKusick, et al.
  • File Handling in Python

    File Handling in Python

    hapter C File Handling in 2 Python There are many ways of trying to understand programs. People often rely too much on one way, which is called "debugging" and consists of running a partly- understood program to see if it does what you expected. Another way, which ML advocates, is to install some means of understanding in the very programs themselves. — Robin Milner In this Chapter » Introduction to Files » Types of Files » Opening and Closing a 2.1 INTRODUCTION TO FILES Text File We have so far created programs in Python that » Writing to a Text File accept the input, manipulate it and display the » Reading from a Text File output. But that output is available only during » Setting Offsets in a File execution of the program and input is to be entered through the keyboard. This is because the » Creating and Traversing a variables used in a program have a lifetime that Text File lasts till the time the program is under execution. » The Pickle Module What if we want to store the data that were input as well as the generated output permanently so that we can reuse it later? Usually, organisations would want to permanently store information about employees, inventory, sales, etc. to avoid repetitive tasks of entering the same data. Hence, data are stored permanently on secondary storage devices for reusability. We store Python programs written in script mode with a .py extension. Each program is stored on the secondary device as a file. Likewise, the data entered, and the output can be stored permanently into a file.
  • System Calls and Standard I/O

    System Calls and Standard I/O

    System Calls and Standard I/O Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today’s Class • System calls o How a user process contacts the Operating System o For advanced services that may require special privilege • Standard I/O library o Generic I/O support for C programs o A smart wrapper around I/O-related system calls o Stream concept, line-by-line input, formatted output, ... 2 1 System Calls 3 Communicating With the OS User Process signals systems calls Operating System • System call o Request to the operating system to perform a task o … that the process does not have permission to perform • Signal o Asynchronous notification sent to a process … to notify the process of an event that has occurred o 4 2 Processor Modes • The OS must restrict what a user process can do o What instructions can execute o What portions of the address space are accessible • Supervisor mode (or kernel mode) o Can execute any instructions in the instruction set – Including halting the processor, changing mode bit, initiating I/O o Can access any memory location in the system – Including code and data in the OS address space • User mode o Restricted capabilities – Cannot execute privileged instructions – Cannot directly reference code or data in OS address space o Any such attempt results in a fatal “protection fault” – Instead, access OS code and data indirectly via system calls 5 Main Categories of System Calls • File system o Low-level file I/O o E.g., creat, open, read, write, lseek, close • Multi-tasking mechanisms o Process
  • Your Performance Task Summary Explanation

    Your Performance Task Summary Explanation

    Lab Report: 11.2.5 Manage Files Your Performance Your Score: 0 of 3 (0%) Pass Status: Not Passed Elapsed Time: 6 seconds Required Score: 100% Task Summary Actions you were required to perform: In Compress the D:\Graphics folderHide Details Set the Compressed attribute Apply the changes to all folders and files In Hide the D:\Finances folder In Set Read-only on filesHide Details Set read-only on 2017report.xlsx Set read-only on 2018report.xlsx Do not set read-only for the 2019report.xlsx file Explanation In this lab, your task is to complete the following: Compress the D:\Graphics folder and all of its contents. Hide the D:\Finances folder. Make the following files Read-only: D:\Finances\2017report.xlsx D:\Finances\2018report.xlsx Complete this lab as follows: 1. Compress a folder as follows: a. From the taskbar, open File Explorer. b. Maximize the window for easier viewing. c. In the left pane, expand This PC. d. Select Data (D:). e. Right-click Graphics and select Properties. f. On the General tab, select Advanced. g. Select Compress contents to save disk space. h. Click OK. i. Click OK. j. Make sure Apply changes to this folder, subfolders and files is selected. k. Click OK. 2. Hide a folder as follows: a. Right-click Finances and select Properties. b. Select Hidden. c. Click OK. 3. Set files to Read-only as follows: a. Double-click Finances to view its contents. b. Right-click 2017report.xlsx and select Properties. c. Select Read-only. d. Click OK. e.
  • File Permissions Do Not Restrict Root

    File Permissions Do Not Restrict Root

    Filesystem Security 1 General Principles • Files and folders are managed • A file handle provides an by the operating system opaque identifier for a • Applications, including shells, file/folder access files through an API • File operations • Access control entry (ACE) – Open file: returns file handle – Allow/deny a certain type of – Read/write/execute file access to a file/folder by – Close file: invalidates file user/group handle • Access control list (ACL) • Hierarchical file organization – Collection of ACEs for a – Tree (Windows) file/folder – DAG (Linux) 2 Discretionary Access Control (DAC) • Users can protect what they own – The owner may grant access to others – The owner may define the type of access (read/write/execute) given to others • DAC is the standard model used in operating systems • Mandatory Access Control (MAC) – Alternative model not covered in this lecture – Multiple levels of security for users and documents – Read down and write up principles 3 Closed vs. Open Policy Closed policy Open Policy – Also called “default secure” • Deny Tom read access to “foo” • Give Tom read access to “foo” • Deny Bob r/w access to “bar” • Give Bob r/w access to “bar • Tom: I would like to read “foo” • Tom: I would like to read “foo” – Access denied – Access allowed • Tom: I would like to read “bar” • Tom: I would like to read “bar” – Access allowed – Access denied 4 Closed Policy with Negative Authorizations and Deny Priority • Give Tom r/w access to “bar” • Deny Tom write access to “bar” • Tom: I would like to read “bar” – Access
  • Clustered Data ONTAP 8.3 CIFS File Access Reference Guide

    Clustered Data ONTAP 8.3 CIFS File Access Reference Guide

    Clustered Data ONTAP® 8.3 CIFS File Access Reference Guide February 2016 | 215-10876_A0 [email protected] Updated for 8.3.2 Table of Contents | 3 Contents Deciding whether to use this guide ........................................................... 12 Understanding SMB file access with Data ONTAP ................................. 14 How namespaces and volume junctions affect SMB access on SVMs with FlexVol volumes .................................................................................................. 14 What namespaces in SVMs with FlexVol volumes are ................................. 14 Volume junction usage rules ......................................................................... 14 How volume junctions are used in SMB and NFS namespaces .................... 15 What the typical NAS namespace architectures are ...................................... 15 LIF configuration requirements for file access management .................................... 18 How security styles affect data access ....................................................................... 19 What the security styles and their effects are ................................................ 19 Where and when to set security styles .......................................................... 20 How to decide on what security style to use on SVMs with FlexVol volumes .................................................................................................... 20 How security style inheritance works ..........................................................
  • W4118: File Systems

    W4118: File Systems

    W4118: file systems Instructor: Junfeng Yang References: Modern Operating Systems (3rd edition), Operating Systems Concepts (8th edition), previous W4118, and OS at MIT, Stanford, and UWisc Outline File system concepts . What is a file? . What operations can be performed on files? . What is a directory and how is it organized? File implementation . How to allocate disk space to files? 1 What is a file User view . Named byte array • Types defined by user . Persistent across reboots and power failures OS view . Map bytes as collection of blocks on physical storage . Stored on nonvolatile storage device • Magnetic Disks 2 Role of file system Naming . How to “name” files . Translate “name” + offset logical block # Reliability . Must not lose file data Protection . Must mediate file access from different users Disk management . Fair, efficient use of disk space . Fast access to files 3 File metadata Name – only information kept in human-readable form Identifier – unique tag (number) identifies file within file system (inode number in UNIX) Location – pointer to file location on device Size – current file size Protection – controls who can do reading, writing, executing Time, date, and user identification – data for protection, security, and usage monitoring How is metadata stored? (inode in UNIX) 4 File operations int creat(const char* pathname, mode_t mode) int unlink(const char* pathname) int rename(const char* oldpath, const char* newpath) int open(const char* pathname, int flags, mode_t mode) int read(int fd, void* buf, size_t count); int write(int fd, const void* buf, size_t count) int lseek(int fd, offset_t offset, int whence) int truncate(const char* pathname, offset_t len) ..