Previous section.
DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group
ACL Managers
This chapter specifies the common ACL managers supported by DCE.
See
ACL Managers, Permissions, Access Determination Algorithms
for generalities on ACL managers, and for the
definition of Common ACL Managers.
Data Types
This section defines (in IDL) the data types associated with ACL Managers.
Common Permissions
There are 7 permission bits, given in the following list, that are
distinguished by the ACL Facility, by virtue of their being given
specified names (in the C programming language) and values. These 7
distinguished permissions are said to be common permissions
because of their support by Common ACL Managers (see
ACL Managers, Permissions, Access Determination Algorithms
).
(The "colloquial" names of these permissions, as used in
ACL Managers, Permissions, Access Determination Algorithms
,
are given by the terminal substring following the last underscore
character of their C names.)
-
-
const sec_acl_permset_t sec_acl_perm_read = 0x00000001;
const sec_acl_perm_set_t sec_acl_perm_write = 0x00000002;
const sec_acl_perm_set_t sec_acl_perm_execute = 0x00000004;
const sec_acl_perm_set_t sec_acl_perm_control = 0x00000008;
const sec_acl_perm_set_t sec_acl_perm_insert = 0x00000010;
const sec_acl_perm_set_t sec_acl_perm_delete = 0x00000020;
const sec_acl_perm_set_t sec_acl_perm_test = 0x00000040;
It is beyond the scope of the generic ACL Facility itself to specify the
access semantics of these common permissions-that is the
responsibility of individual ACL managers themselves. (For their
semantics in the case of Common ACL Managers, see
ACL Managers, Permissions, Access Determination Algorithms
.)
Printstrings and Helpstrings
The printstring and helpstring associated with a permission bit are
represented by the sec_acl_printstring_t data type, which is
defined as follows:
-
-
const signed32 sec_acl_printstring_len = 16;
const signed32 sec_acl_printstring_help_len = 64;
typedef struct {
[string] char printstring[sec_acl_printstring_len];
[string] char helpstring[sec_acl_printstring_help_len];
sec_acl_permset_t perm;
} sec_acl_printstring_t;
Its semantics are that it specifies the printstring and helpstring associated
with the permission bit(s) perm. Its fields are the following:
-
printstring
The printstring associated to perm.
Its character elements are to be drawn from the alphanumeric characters
(a-zA-Z0-9) of the Portable Character Set (see
Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification).
Every common ACL manager is required to associate
distinct printstrings, of length >= 1, with each permission it
supports (distinct because typical user interfaces to ACL editors use
these printstrings to refer to permissions).
(However, it is not required that each printstring consists of a single
character, nor that the set of characters present in any one printstring
supported by an ACL manager are disjoint from those of any other
printstring it supports.)
-
helpstring
The helpstring associated to perm.
It contains a description of the semantics of perm.
Its character elements are to be drawn from the Portable Character Set
(see Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification).
-
perm
The bit representation of the permission for which this
sec_acl_printstring_t specifies the printstring and helpstring.
It must be a single bit; that is, its value must be a power of 2
(2k, 0 <= k <= 31).
The sec_acl_printstring_t is also used to describe ACL managers as
a whole, not just their individual permission bits (see
rdacl_get_manager_types()
).
Common Printstrings
There are 7 (single-character) printstrings, given in the following
list, that are distinguished by virtue of their being the
printstrings associated with the 7 common permission bits of Common ACL
Managers (for this reason, they are called common printstrings).
-
Read: "r".
-
Write: "w".
-
Execute: "x".
-
Control (or Change, or Write-ACL): "c".
-
Insert: "i".
-
Delete: "d".
-
Test: "t".
Common Helpstrings
There are 7 helpstrings, given in the following list, that are
distinguished by virtue of their being the recommended
helpstrings associated with the 7 common permission bits of
Common ACL Managers (for this reason, they are called common
helpstrings), at least in the "C locale".
-
Read: "read".
-
Write: "write".
-
Execute: "execute".
-
Control (or Change, or Write-ACL): "control".
-
Insert: "insert".
-
Delete: "delete".
-
Test: "test".
Common Access Determination Algorithm
There is one access determination algorithm, specified by pseudocode in
this section, that is distinguished by virtue of its being supported by
Common ACL Managers (for this reason, it is called the
common access determination algorithm). See
Common Access Determination Algorithm
for a memorisable mental image of this pseudocode. The pseudocode is
presented in three steps below. Recall that the ACLs supported by Common ACL
Managers satisfy the conditions of
Common ACLs
.
- Note:
- The common access determination algorithm depends only upon:
-
The client's PAC or EPAC
For DCE 1.1 and newer versions, an EPAC is used to encode the information
that used to be provided by the PAC. An EPAC also contains additional
attribute information - notably that required for delegation support.
Note that the steps described in this section, unless noted, may still
be used for access determination using a PAC.
-
The object's ACL
For DCE 1.1 and newer versions, new entries have been added to the ACL.
These extensions have been added as additional values for the existing
sec_acl_entry_type_t and defined in
ACLE Types
.
The key and permission fields of the new ACL entries are defined exactly
as they would for other DCE ACLEs.
Because of this, users of ACLs who do not enable delegation will continue
to operate as before, with no change in behavior.
- Notes:
-
Because new entries for delegation have been added as new ACLEs, no wire
protocol changes are necessary to support these new types.
-
It is possible to support delegation without using the new ACLE types that
have been added to the ACL. While this provides a simple migration path,
it has the consequence that every intermediary involved in an operation
(request) is granted the ability to perform the operation of their
own initiative (assuming their permissions are sufficient). However,
that behavior is strongly discouraged by this specification. The new entries
for delegation should be used. In this manner, intermediaries can be
listed on the ACL without granting the intermediary the ability to
operate on the target object directly.
-
The nature of the access request itself (that is, the set of
permissions required by the operation requested by the client to be
performed on the object).
Significantly, it does not depend on the name or path that
the client uses to specify the object.
This is in contradistinction to certain other systems, notably POSIX,
whose access semantics support a notion of "pathname resolution",
whereby a "search" ("traverse") permission is required of
intermediate naming nodes in addition to the access permissions of the
ultimate target (leaf) object.
For this reason, the common access determination algorithm is said to
be "object-based", as opposed to "name-based".
(If a name-based access model is required, as, for example, in a
POSIX-conformant distributed filesystem, it can of course be
implemented within the context of this specification via a
special-purpose (non-common) ACL manager.)
First Step: Reduction
In the first step of the algorithm,
the overall determination of access is reduced from the full access
request (consisting of a subset of the primitive permissions supported by
the Common ACL Manager) to the individual primitive permissions themselves
(or "permission bits") comprising the access request:
-
-
/* reduction step -- check each perm bit */
if (for every permission in the (non-empty) access request,
the matching step of the algorithm (below) grants access) {
GRANT access;
} else {
DENY access;
}
Note that the second leg of the above pseudocode is entered (resulting
in a denial of access) precisely when the matching step of the algorithm
(below) denies access for at least one permission in the (non-empty)
access request.
Second Step: Matching
In the second step of the algorithm,
the determination of access for an individual primitive permission is
reduced to a sequence of attempted matches against ACLE types (the
notion of "matching" is defined in the subalgorithms themselves).
This step is subdivided into two parts:
-
Determination of access for the client, in the non-delegation case, or
determination of access for the initiator, in the delegation case, by
a sequence of attempted matches against ACLE types, below:
-
-
/* matching step -- match PAC or EPAC against ACLEs, stop at */
/* first match */
if (PAC or EPAC matches ACL's USER_OBJ ACLE) {
invoke USER_OBJ subalgorithm;
} else if (PAC matches one of ACL's USER or FOREIGN_USER ACLEs) {
invoke USER's/FOREIGN_USER's subalgorithm;
} else if (PAC matches any of ACL's GROUP_OBJ, GROUP or
FOREIGN_GROUP ACLEs /*union model here*/) {
invoke GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm;
} else if (PAC matches ACL's OTHER_OBJ ACLE) {
invoke OTHER_OBJ subalgorithm;
} else if (PAC matches one of ACL's FOREIGN_OTHER ACLEs) {
invoke FOREIGN_OTHER's subalgorithm;
} else if (PAC matches ACL's ANY_OTHER ACLE) {
invoke ANY_OTHER subalgorithm;
} else {
DENY access;
}
- Note:
- In the non_delegation case, the next substep is not executed. Thus,
when delegation is not in effect, the decision for the client is to either GRANT or
DENY access at this point.
-
Determination of access for each intermediary in the traced delegation
case, by a sequence of attempted matches against ACLE types, below:
/* matching step -- match EPAC against ACLEs, stop at first match */
if (EPAC matches ACL's USER_OBJ_DEL ACLE) {
invoke USER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's USER_DEL or FOREIGN_USER_DEL ACLEs) {
invoke USER_DEL's/FOREIGN_USER_DEL's subalgorithm;
} else if (EPAC matches any of ACL's GROUP_OBJ_DEL, GROUP_DEL or
FOREIGN_GROUP_DEL ACLEs /*union model here*/) {
invoke GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm;
} else if (EPAC matches ACL's OTHER_OBJ_DEL ACLE) {
invoke OTHER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's FOREIGN_OTHER_DEL ACLEs) {
invoke FOREIGN_OTHER_DEL's subalgorithm;
} else if (EPAC matches ACL's ANY_OTHER_DEL ACLE) {
invoke ANY_OTHER_DEL subalgorithm;
} else {
DENY access;
}
Note that the final leg of the pseudocode in the access determination
checking in either of the two substeps above is entered (resulting in a
denial of access) if and only if the EPAC (or PAC) matches no ACLE of the ACL.
This is, in particular, the case if the ACL in question is empty
(that is, has an empty list of ACLEs). (An object protected by an
empty ACL is inaccessible, even for modifying its ACL; ACL
Managers will typically enforce a minimal, non-empty configuration for
their ACLs, so that this can't happen, but DCE does not specify such.)
Combined First and Second Steps
Note also that the first and second steps of the algorithm as presented
thus far are "interchangeable", and thus can be combined to give
the following equivalent algorithm (and this is the form in which
the paraphrase associated with
Common Access Determination Algorithm
was couched):
-
-
/* combined matching and reduction steps */
/* for client or, for delegation, initiator */
if (PAC matches ACL's USER_OBJ ACLE) {
if (for every permission in the (non-empty) access request,
the USER_OBJ subalgorithm grants access) {
GRANT access;
} else {
DENY access;
}
} else /* ··· similarly for the remaining subalgorithms ··· */
This compined set of steps also applies to intermediaries in the case of
traced delegation, using the ACLEs for delegation. Since the combined steps
are intuitively obvious, they are not explicitely shown here.
Third Step: Subalgorithms
The third step of the algorithm is to invoke the subalgorithm determined
by the second step. These subalgorithms determine access for an
individual requested permission, and are described below. Throughout
the following subalgorithms, to say that a permission is granted
(resp., denied) by an ACLE means that the bit in the ACLE's
permissions field representing that permission is set (resp.,
reset). Also, the following textual ("macro")
substitutions are employed:
-
-
/* MASK_OBJ ACLE masking */
#define MASK_OBJ-TEST-OK \
( (MASK_OBJ ACLE is not present in ACL) \
|| (permission is granted by MASK_OBJ ACLE) )
/* authentication flag test, and UNAUTHENTICATED ACLE masking */
#define AUTHENTICATION-TEST-OK \
( (PAC's authentication flag is TRUE) \
|| ( (UNAUTHENTICATED ACLE is present in ACL) \
&& (permission is granted by UNAUTHENTICATED ACLE) ) )
Thus note:
-
If the MASK_OBJ ACLE is not present in the ACL, the behaviour of
the MASK_OBJ-TEST-OK macro is the same "as if" it were present and
granted all permissions.
-
If the UNAUTHENTICATED ACLE is not
present in the ACL, the behaviour of the AUTHENTICATION-TEST-OK macro is
the same "as if" it were present and denied all permissions.
The subalgorithms are divided into two categories according to the
substeps of
Second Step: Matching
.
Thus, if either delegation is not enabled, or the authorisation is
for the initiator of a request, the non-intermediary subalgorithms in
Non-Intermediary Subalgorithms
are used. Otherwise, the intermediary subalgorithms in
Intermediary Subalgorithms
are used.
Non-Intermediary Subalgorithms
USER_OBJ Subalgorithm
This subalgorithm is invoked when the PAC matches the ACL's USER_OBJ
ACLE, in the following sense. There is a USER_OBJ ACLE present in the
ACL (there can be at most one, by
Common ACLs
),
and the principal to which the PAC refers is equal to the principal to which
the USER_OBJ refers.
-
-
/* USER_OBJ subalgorithm */
if ((permission is granted by USER_OBJ ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
USER/FOREIGN_USER Subalgorithm
This subalgorithm is invoked when the PAC matches one of the ACL's USER
or FOREIGN_USER ACLEs, in the following sense (at most one ACLE can be
matched). There are (one or more) USER and/or FOREIGN_USER ACLEs
present in the ACL, and the principal to which the PAC refers is equal
to the principal to which some USER or FOREIGN_USER ACLE refers.
-
-
/* USER's/FOREIGN_USER's subalgorithm */
if ((permission is granted by matched USER or FOREIGN_USER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
GROUP_OBJ/GROUP/FOREIGN_GROUP Subalgorithm
This subalgorithm is invoked when the PAC matches any of the ACL's
GROUP_OBJ, GROUP or FOREIGN_GROUP ACLEs, in the following sense (one or
more ACLEs can be matched). There are (one or more) GROUP_OBJ, GROUP
and/or FOREIGN_GROUP ACLEs present in the ACLE, and some primary group,
local secondary group or foreign secondary group to which the PAC refers
is equal to some group to which some GROUP_OBJ, GROUP or FOREIGN_GROUP refers.
-
-
/* GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ,
GROUP or FOREIGN_GROUP ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
OTHER_OBJ Subalgorithm
This subalgorithm is invoked when the PAC matches the ACL's OTHER_OBJ
ACLE, in the following sense. There is an OTHER_OBJ ACLE present in the
ACL (there can be at most one), and the cell to which the PAC refers is
equal to the cell to which the ACL refers.
-
-
/* OTHER_OBJ subalgorithm */
if ((permission is granted by OTHER_OBJ ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
FOREIGN_OTHER Subalgorithm
This subalgorithm is invoked when the PAC matches one of the ACL's
FOREIGN_OTHER ACLEs, in the following sense (at most one ACLE can be
matched). There are (one or more) FOREIGN_OTHER ACLEs present in the
ACL, and the cell to which the PAC refers is equal to the cell to which
some FOREIGN_OTHER ACLE refers.
-
-
/* FOREIGN_OTHER's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
ANY_OTHER Subalgorithm
This subalgorithm is invoked when the PAC matches the ACL's ANY_OTHER
ACLE, in the following sense. There is an ANY_OTHER ACLE present in the
ACL (there can be at most one), and none of the preceding subalgorithms
has been invoked. That is, every PAC "matches" the ANY_OTHER
ACLE (if it is present), including a NULL PAC (which is considered
to be "unauthenticated").
-
-
/* ANY_OTHER subalgorithm */
if ((permission is granted by ANY_OTHER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
Intermediary Subalgorithms
USER_OBJ_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches the ACL's USER_OBJ_DEL
ACLE, in the following sense. There is a USER_OBJ_DEL ACLE present in the
ACL (there can be at most one, by POSIX-allowable delegation extensions to
Common ACLs
),
and the principal to which the EPAC refers is equal to the principal to which
the USER_OBJ_DEL refers.
-
-
/* USER_OBJ_DEL subalgorithm */
if ((permission is granted by USER_OBJ_DEL ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
USER_DEL/FOREIGN_USER_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches one of the ACL's USER_DEL
or FOREIGN_USER_DEL ACLEs, in the following sense (at most one ACLE can be
matched). There are (one or more) USER_DEL and/or FOREIGN_USER_DEL ACLEs
present in the ACL, and the principal to which the EPAC refers is equal
to the principal to which some USER_DEL or FOREIGN_USER_DEL ACLE refers.
-
-
/* USER_DEL's/FOREIGN_USER_DEL's subalgorithm */
if ((permission is granted by matched USER_DEL or FOREIGN_USER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
GROUP_OBJ_DEL/GROUP_DEL/FOREIGN_GROUP_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches any of the ACL's
GROUP_OBJ_DEL, GROUP_DEL or FOREIGN_GROUP_DEL ACLEs, in the following sense (one or
more ACLEs can be matched). There are (one or more) GROUP_OBJ_DEL, GROUP_DEL
and/or FOREIGN_GROUP_DEL ACLEs present in the ACLE, and some primary group,
local secondary group or foreign secondary group to which the EPAC refers
is equal to some group to which some GROUP_OBJ_DEL, GROUP_DEL or FOREIGN_GROUP_DEL
refers.
-
-
/* GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ_DEL,
GROUP_DEL or FOREIGN_GROUP_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
OTHER_OBJ_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches the ACL's OTHER_OBJ_DEL
ACLE, in the following sense. There is an OTHER_OBJ_DEL ACLE present in the
ACL (there can be at most one), and the cell to which the EPAC refers is
equal to the cell to which the ACL refers.
-
-
/* OTHER_OBJ_DEL subalgorithm */
if ((permission is granted by OTHER_OBJ_DEL ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
FOREIGN_OTHER_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches one of the ACL's
FOREIGN_OTHER_DEL ACLEs, in the following sense (at most one ACLE can be
matched). There are (one or more) FOREIGN_OTHER_DEL ACLEs present in the
ACL, and the cell to which the EPAC refers is equal to the cell to which
some FOREIGN_OTHER_DEL ACLE refers.
-
-
/* FOREIGN_OTHER_DEL's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
ANY_OTHER_DEL Subalgorithm
This subalgorithm is invoked when the EPAC matches the ACL's ANY_OTHER_DEL
ACLE, in the following sense. There is an ANY_OTHER_DEL ACLE present in the
ACL (there can be at most one), and none of the preceding subalgorithms
has been invoked. That is, every EPAC "matches" the ANY_OTHER_DEL
ACLE (if it is present), including a NULL EPAC (which is considered
to be "unauthenticated").
-
-
/* ANY_OTHER_DEL subalgorithm */
if ((permission is granted by ANY_OTHER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
Please note that the html version of this specification
may contain formatting aberrations. The definitive version
is available as an electronic publication on CD-ROM
from The Open Group.