This chapter specifies the common ACL managers supported by DCE.
See
-
-
const sec_acl_permset_t sec_acl_perm_read = 0x00000001;
const sec_acl_perm_set_t sec_acl_perm_write = 0x00000002;
const sec_acl_perm_set_t sec_acl_perm_execute = 0x00000004;
const sec_acl_perm_set_t sec_acl_perm_control = 0x00000008;
const sec_acl_perm_set_t sec_acl_perm_insert = 0x00000010;
const sec_acl_perm_set_t sec_acl_perm_delete = 0x00000020;
const sec_acl_perm_set_t sec_acl_perm_test = 0x00000040;
-
-
const signed32 sec_acl_printstring_len = 16;
const signed32 sec_acl_printstring_help_len = 64;
typedef struct {
[string] char printstring[sec_acl_printstring_len];
[string] char helpstring[sec_acl_printstring_help_len];
sec_acl_permset_t perm;
} sec_acl_printstring_t;
Its semantics are that it specifies the printstring and helpstring associated with the permission bit(s) perm. Its fields are the following:
The printstring associated to perm. Its character elements are to be drawn from the alphanumeric characters (a-zA-Z0-9) of the Portable Character Set (see Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification). Every common ACL manager is required to associate distinct printstrings, of length >= 1, with each permission it supports (distinct because typical user interfaces to ACL editors use these printstrings to refer to permissions). (However, it is not required that each printstring consists of a single character, nor that the set of characters present in any one printstring supported by an ACL manager are disjoint from those of any other printstring it supports.)
The helpstring associated to perm. It contains a description of the semantics of perm. Its character elements are to be drawn from the Portable Character Set (see Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification).
The bit representation of the permission for which this sec_acl_printstring_t specifies the printstring and helpstring. It must be a single bit; that is, its value must be a power of 2 (2k, 0 <= k <= 31).
The sec_acl_printstring_t is also used to describe ACL managers as
a whole, not just their individual permission bits (see
For DCE 1.1 and newer versions, an EPAC is used to encode the information that used to be provided by the PAC. An EPAC also contains additional attribute information - notably that required for delegation support.
Note that the steps described in this section, unless noted, may still be used for access determination using a PAC.
For DCE 1.1 and newer versions, new entries have been added to the ACL.
These extensions have been added as additional values for the existing
sec_acl_entry_type_t and defined in
Significantly, it does not depend on the name or path that the client uses to specify the object. This is in contradistinction to certain other systems, notably POSIX, whose access semantics support a notion of "pathname resolution", whereby a "search" ("traverse") permission is required of intermediate naming nodes in addition to the access permissions of the ultimate target (leaf) object. For this reason, the common access determination algorithm is said to be "object-based", as opposed to "name-based". (If a name-based access model is required, as, for example, in a POSIX-conformant distributed filesystem, it can of course be implemented within the context of this specification via a special-purpose (non-common) ACL manager.)
In the first step of the algorithm,
the overall determination of access is reduced from the full access
request (consisting of a subset of the primitive permissions supported by
the Common ACL Manager) to the individual primitive permissions themselves
(or "permission bits") comprising the access request:
-
-
/* reduction step -- check each perm bit */
if (for every permission in the (non-empty) access request,
the matching step of the algorithm (below) grants access) {
GRANT access;
} else {
DENY access;
}
Note that the second leg of the above pseudocode is entered (resulting in a denial of access) precisely when the matching step of the algorithm (below) denies access for at least one permission in the (non-empty) access request.
In the second step of the algorithm, the determination of access for an individual primitive permission is reduced to a sequence of attempted matches against ACLE types (the notion of "matching" is defined in the subalgorithms themselves). This step is subdivided into two parts:
-
-
/* matching step -- match PAC or EPAC against ACLEs, stop at */
/* first match */
if (PAC or EPAC matches ACL's USER_OBJ ACLE) {
invoke USER_OBJ subalgorithm;
} else if (PAC matches one of ACL's USER or FOREIGN_USER ACLEs) {
invoke USER's/FOREIGN_USER's subalgorithm;
} else if (PAC matches any of ACL's GROUP_OBJ, GROUP or
FOREIGN_GROUP ACLEs /*union model here*/) {
invoke GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm;
} else if (PAC matches ACL's OTHER_OBJ ACLE) {
invoke OTHER_OBJ subalgorithm;
} else if (PAC matches one of ACL's FOREIGN_OTHER ACLEs) {
invoke FOREIGN_OTHER's subalgorithm;
} else if (PAC matches ACL's ANY_OTHER ACLE) {
invoke ANY_OTHER subalgorithm;
} else {
DENY access;
}
/* matching step -- match EPAC against ACLEs, stop at first match */
if (EPAC matches ACL's USER_OBJ_DEL ACLE) {
invoke USER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's USER_DEL or FOREIGN_USER_DEL ACLEs) {
invoke USER_DEL's/FOREIGN_USER_DEL's subalgorithm;
} else if (EPAC matches any of ACL's GROUP_OBJ_DEL, GROUP_DEL or
FOREIGN_GROUP_DEL ACLEs /*union model here*/) {
invoke GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm;
} else if (EPAC matches ACL's OTHER_OBJ_DEL ACLE) {
invoke OTHER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's FOREIGN_OTHER_DEL ACLEs) {
invoke FOREIGN_OTHER_DEL's subalgorithm;
} else if (EPAC matches ACL's ANY_OTHER_DEL ACLE) {
invoke ANY_OTHER_DEL subalgorithm;
} else {
DENY access;
}
Note that the final leg of the pseudocode in the access determination checking in either of the two substeps above is entered (resulting in a denial of access) if and only if the EPAC (or PAC) matches no ACLE of the ACL. This is, in particular, the case if the ACL in question is empty (that is, has an empty list of ACLEs). (An object protected by an empty ACL is inaccessible, even for modifying its ACL; ACL Managers will typically enforce a minimal, non-empty configuration for their ACLs, so that this can't happen, but DCE does not specify such.)
-
-
/* combined matching and reduction steps */
/* for client or, for delegation, initiator */
if (PAC matches ACL's USER_OBJ ACLE) {
if (for every permission in the (non-empty) access request,
the USER_OBJ subalgorithm grants access) {
GRANT access;
} else {
DENY access;
}
} else /* ··· similarly for the remaining subalgorithms ··· */
This compined set of steps also applies to intermediaries in the case of
traced delegation, using the ACLEs for delegation. Since the combined steps
are intuitively obvious, they are not explicitely shown here.
-
-
/* MASK_OBJ ACLE masking */
#define MASK_OBJ-TEST-OK \
( (MASK_OBJ ACLE is not present in ACL) \
|| (permission is granted by MASK_OBJ ACLE) )
/* authentication flag test, and UNAUTHENTICATED ACLE masking */
#define AUTHENTICATION-TEST-OK \
( (PAC's authentication flag is TRUE) \
|| ( (UNAUTHENTICATED ACLE is present in ACL) \
&& (permission is granted by UNAUTHENTICATED ACLE) ) )
Thus note:
The subalgorithms are divided into two categories according to the
substeps of
-
-
/* USER_OBJ subalgorithm */
if ((permission is granted by USER_OBJ ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* USER's/FOREIGN_USER's subalgorithm */
if ((permission is granted by matched USER or FOREIGN_USER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ,
GROUP or FOREIGN_GROUP ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* OTHER_OBJ subalgorithm */
if ((permission is granted by OTHER_OBJ ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* FOREIGN_OTHER's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* ANY_OTHER subalgorithm */
if ((permission is granted by ANY_OTHER ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* USER_OBJ_DEL subalgorithm */
if ((permission is granted by USER_OBJ_DEL ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* USER_DEL's/FOREIGN_USER_DEL's subalgorithm */
if ((permission is granted by matched USER_DEL or FOREIGN_USER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ_DEL,
GROUP_DEL or FOREIGN_GROUP_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* OTHER_OBJ_DEL subalgorithm */
if ((permission is granted by OTHER_OBJ_DEL ACLE)
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* FOREIGN_OTHER_DEL's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
-
-
/* ANY_OTHER_DEL subalgorithm */
if ((permission is granted by ANY_OTHER_DEL ACLE)
&& MASK_OBJ-TEST-OK
&& AUTHENTICATION-TEST-OK) {
GRANT access;
} else {
DENY access;
}
Contents | Next section | Index |