DCE 1.1: Authentication and Security Services

DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group

ACL Managers

This chapter specifies the common ACL managers supported by DCE. See ACL Managers, Permissions, Access Determination Algorithms for generalities on ACL managers, and for the definition of Common ACL Managers.

Data Types

This section defines (in IDL) the data types associated with ACL Managers.

Common Permissions

There are 7 permission bits, given in the following list, that are distinguished by the ACL Facility, by virtue of their being given specified names (in the C programming language) and values. These 7 distinguished permissions are said to be common permissions because of their support by Common ACL Managers (see ACL Managers, Permissions, Access Determination Algorithms ). (The "colloquial" names of these permissions, as used in ACL Managers, Permissions, Access Determination Algorithms , are given by the terminal substring following the last underscore character of their C names.)

 

const sec_acl_permset_t   sec_acl_perm_read    = 0x00000001;
const sec_acl_perm_set_t  sec_acl_perm_write   = 0x00000002;
const sec_acl_perm_set_t  sec_acl_perm_execute = 0x00000004;
const sec_acl_perm_set_t  sec_acl_perm_control = 0x00000008;
const sec_acl_perm_set_t  sec_acl_perm_insert  = 0x00000010;
const sec_acl_perm_set_t  sec_acl_perm_delete  = 0x00000020;
const sec_acl_perm_set_t  sec_acl_perm_test    = 0x00000040;

It is beyond the scope of the generic ACL Facility itself to specify the access semantics of these common permissions-that is the responsibility of individual ACL managers themselves. (For their semantics in the case of Common ACL Managers, see ACL Managers, Permissions, Access Determination Algorithms .)

Printstrings and Helpstrings

The printstring and helpstring associated with a permission bit are represented by the sec_acl_printstring_t data type, which is defined as follows:

 

const signed32 sec_acl_printstring_len = 16;
const signed32 sec_acl_printstring_help_len = 64;

typedef struct {
    [string] char         printstring[sec_acl_printstring_len];
    [string] char         helpstring[sec_acl_printstring_help_len];
    sec_acl_permset_t     perm;
}                                sec_acl_printstring_t;

Its semantics are that it specifies the printstring and helpstring associated with the permission bit(s) perm. Its fields are the following:

printstring
The printstring associated to perm. Its character elements are to be drawn from the alphanumeric characters (a-zA-Z0-9) of the Portable Character Set (see Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification). Every common ACL manager is required to associate distinct printstrings, of length >= 1, with each permission it supports (distinct because typical user interfaces to ACL editors use these printstrings to refer to permissions). (However, it is not required that each printstring consists of a single character, nor that the set of characters present in any one printstring supported by an ACL manager are disjoint from those of any other printstring it supports.)
helpstring
The helpstring associated to perm. It contains a description of the semantics of perm. Its character elements are to be drawn from the Portable Character Set (see Appendix G, Portable Character Set, of the referenced Open Group DCE 1.1 RPC Specification).
perm
The bit representation of the permission for which this sec_acl_printstring_t specifies the printstring and helpstring. It must be a single bit; that is, its value must be a power of 2 (2^k, 0 <= k <= 31).

The sec_acl_printstring_t is also used to describe ACL managers as a whole, not just their individual permission bits (see rdacl_get_manager_types() ).

Common Printstrings

There are 7 (single-character) printstrings, given in the following list, that are distinguished by virtue of their being the printstrings associated with the 7 common permission bits of Common ACL Managers (for this reason, they are called common printstrings).

Read: "r".
Write: "w".
Execute: "x".
Control (or Change, or Write-ACL): "c".
Insert: "i".
Delete: "d".
Test: "t".

Common Helpstrings

There are 7 helpstrings, given in the following list, that are distinguished by virtue of their being the recommended helpstrings associated with the 7 common permission bits of Common ACL Managers (for this reason, they are called common helpstrings), at least in the "C locale".

Read: "read".
Write: "write".
Execute: "execute".
Control (or Change, or Write-ACL): "control".
Insert: "insert".
Delete: "delete".
Test: "test".

Common Access Determination Algorithm

There is one access determination algorithm, specified by pseudocode in this section, that is distinguished by virtue of its being supported by Common ACL Managers (for this reason, it is called the common access determination algorithm). See Common Access Determination Algorithm for a memorisable mental image of this pseudocode. The pseudocode is presented in three steps below. Recall that the ACLs supported by Common ACL Managers satisfy the conditions of Common ACLs .

Note:

The common access determination algorithm depends only upon:

The client's PAC or EPAC
For DCE 1.1 and newer versions, an EPAC is used to encode the information that used to be provided by the PAC. An EPAC also contains additional attribute information - notably that required for delegation support.
Note that the steps described in this section, unless noted, may still be used for access determination using a PAC.
The object's ACL
For DCE 1.1 and newer versions, new entries have been added to the ACL. These extensions have been added as additional values for the existing sec_acl_entry_type_t and defined in ACLE Types . The key and permission fields of the new ACL entries are defined exactly as they would for other DCE ACLEs. Because of this, users of ACLs who do not enable delegation will continue to operate as before, with no change in behavior.
Notes:
1. Because new entries for delegation have been added as new ACLEs, no wire protocol changes are necessary to support these new types.
2. It is possible to support delegation without using the new ACLE types that have been added to the ACL. While this provides a simple migration path, it has the consequence that every intermediary involved in an operation (request) is granted the ability to perform the operation of their own initiative (assuming their permissions are sufficient). However, that behavior is strongly discouraged by this specification. The new entries for delegation should be used. In this manner, intermediaries can be listed on the ACL without granting the intermediary the ability to operate on the target object directly.
The nature of the access request itself (that is, the set of permissions required by the operation requested by the client to be performed on the object).

Significantly, it does not depend on the name or path that the client uses to specify the object. This is in contradistinction to certain other systems, notably POSIX, whose access semantics support a notion of "pathname resolution", whereby a "search" ("traverse") permission is required of intermediate naming nodes in addition to the access permissions of the ultimate target (leaf) object. For this reason, the common access determination algorithm is said to be "object-based", as opposed to "name-based". (If a name-based access model is required, as, for example, in a POSIX-conformant distributed filesystem, it can of course be implemented within the context of this specification via a special-purpose (non-common) ACL manager.)

First Step: Reduction

In the first step of the algorithm, the overall determination of access is reduced from the full access request (consisting of a subset of the primitive permissions supported by the Common ACL Manager) to the individual primitive permissions themselves (or "permission bits") comprising the access request:

 

/* reduction step -- check each perm bit */
if (for every permission in the (non-empty) access request,
    the matching step of the algorithm (below) grants access) {
        GRANT access;
} else {
        DENY access;
}

Note that the second leg of the above pseudocode is entered (resulting in a denial of access) precisely when the matching step of the algorithm (below) denies access for at least one permission in the (non-empty) access request.

Second Step: Matching

In the second step of the algorithm, the determination of access for an individual primitive permission is reduced to a sequence of attempted matches against ACLE types (the notion of "matching" is defined in the subalgorithms themselves). This step is subdivided into two parts:

Determination of access for the client, in the non-delegation case, or determination of access for the initiator, in the delegation case, by a sequence of attempted matches against ACLE types, below:

 

/* matching step -- match PAC or EPAC against ACLEs, stop at */
/*                                               first match */
if (PAC or EPAC  matches ACL's USER_OBJ ACLE) {
        invoke USER_OBJ subalgorithm;
} else if (PAC matches one of ACL's USER or FOREIGN_USER ACLEs) {
        invoke USER's/FOREIGN_USER's subalgorithm;
} else if (PAC matches any of ACL's GROUP_OBJ, GROUP or
           FOREIGN_GROUP ACLEs /*union model here*/) {
        invoke GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm;
} else if (PAC matches ACL's OTHER_OBJ ACLE) {
        invoke OTHER_OBJ subalgorithm;
} else if (PAC matches one of ACL's FOREIGN_OTHER ACLEs) {
        invoke FOREIGN_OTHER's subalgorithm;
} else if (PAC matches ACL's ANY_OTHER ACLE) {
        invoke ANY_OTHER subalgorithm;
} else {
        DENY access;
}

Note:: In the non_delegation case, the next substep is not executed. Thus, when delegation is not in effect, the decision for the client is to either GRANT or DENY access at this point.

Determination of access for each intermediary in the traced delegation case, by a sequence of attempted matches against ACLE types, below:

/* matching step -- match EPAC against ACLEs, stop at first match */
if (EPAC  matches ACL's USER_OBJ_DEL ACLE) {
        invoke USER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's USER_DEL or FOREIGN_USER_DEL ACLEs) {
        invoke USER_DEL's/FOREIGN_USER_DEL's subalgorithm;
} else if (EPAC matches any of ACL's GROUP_OBJ_DEL, GROUP_DEL or
           FOREIGN_GROUP_DEL ACLEs /*union model here*/) {
        invoke GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm;
} else if (EPAC matches ACL's OTHER_OBJ_DEL ACLE) {
        invoke OTHER_OBJ_DEL subalgorithm;
} else if (EPAC matches one of ACL's FOREIGN_OTHER_DEL ACLEs) {
        invoke FOREIGN_OTHER_DEL's subalgorithm;
} else if (EPAC matches ACL's ANY_OTHER_DEL ACLE) {
        invoke ANY_OTHER_DEL subalgorithm;
} else {
        DENY access;
}

Note that the final leg of the pseudocode in the access determination checking in either of the two substeps above is entered (resulting in a denial of access) if and only if the EPAC (or PAC) matches no ACLE of the ACL. This is, in particular, the case if the ACL in question is empty (that is, has an empty list of ACLEs). (An object protected by an empty ACL is inaccessible, even for modifying its ACL; ACL Managers will typically enforce a minimal, non-empty configuration for their ACLs, so that this can't happen, but DCE does not specify such.)

Combined First and Second Steps

Note also that the first and second steps of the algorithm as presented thus far are "interchangeable", and thus can be combined to give the following equivalent algorithm (and this is the form in which the paraphrase associated with Common Access Determination Algorithm was couched):

 

/* combined matching and reduction steps */
/* for client or, for delegation, initiator */
if (PAC matches ACL's USER_OBJ ACLE) {
        if (for every permission in the (non-empty) access request,
            the USER_OBJ subalgorithm grants access) {
                GRANT access;
        } else {
                DENY access;
        }
} else /* ··· similarly for the remaining subalgorithms ··· */

This compined set of steps also applies to intermediaries in the case of traced delegation, using the ACLEs for delegation. Since the combined steps are intuitively obvious, they are not explicitely shown here.

Third Step: Subalgorithms

The third step of the algorithm is to invoke the subalgorithm determined by the second step. These subalgorithms determine access for an individual requested permission, and are described below. Throughout the following subalgorithms, to say that a permission is granted (resp., denied) by an ACLE means that the bit in the ACLE's permissions field representing that permission is set (resp., reset). Also, the following textual ("macro") substitutions are employed:

 

/* MASK_OBJ ACLE masking */
#define MASK_OBJ-TEST-OK \
        (  (MASK_OBJ ACLE is not present in ACL) \
        || (permission is granted by MASK_OBJ ACLE) )

/* authentication flag test, and UNAUTHENTICATED ACLE masking */
#define AUTHENTICATION-TEST-OK \
        (  (PAC's authentication flag is TRUE) \
        || (  (UNAUTHENTICATED ACLE is present in ACL) \
           && (permission is granted by UNAUTHENTICATED ACLE) ) )

Thus note:

If the MASK_OBJ ACLE is not present in the ACL, the behaviour of the MASK_OBJ-TEST-OK macro is the same "as if" it were present and granted all permissions.
If the UNAUTHENTICATED ACLE is not present in the ACL, the behaviour of the AUTHENTICATION-TEST-OK macro is the same "as if" it were present and denied all permissions.

The subalgorithms are divided into two categories according to the substeps of Second Step: Matching . Thus, if either delegation is not enabled, or the authorisation is for the initiator of a request, the non-intermediary subalgorithms in Non-Intermediary Subalgorithms are used. Otherwise, the intermediary subalgorithms in Intermediary Subalgorithms are used.

Non-Intermediary Subalgorithms

USER_OBJ Subalgorithm

This subalgorithm is invoked when the PAC matches the ACL's USER_OBJ ACLE, in the following sense. There is a USER_OBJ ACLE present in the ACL (there can be at most one, by Common ACLs ), and the principal to which the PAC refers is equal to the principal to which the USER_OBJ refers.

 

/* USER_OBJ subalgorithm */
if ((permission is granted by USER_OBJ ACLE)
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

USER/FOREIGN_USER Subalgorithm

This subalgorithm is invoked when the PAC matches one of the ACL's USER or FOREIGN_USER ACLEs, in the following sense (at most one ACLE can be matched). There are (one or more) USER and/or FOREIGN_USER ACLEs present in the ACL, and the principal to which the PAC refers is equal to the principal to which some USER or FOREIGN_USER ACLE refers.

 

/* USER's/FOREIGN_USER's subalgorithm */
if ((permission is granted by matched USER or FOREIGN_USER ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

GROUP_OBJ/GROUP/FOREIGN_GROUP Subalgorithm

This subalgorithm is invoked when the PAC matches any of the ACL's GROUP_OBJ, GROUP or FOREIGN_GROUP ACLEs, in the following sense (one or more ACLEs can be matched). There are (one or more) GROUP_OBJ, GROUP and/or FOREIGN_GROUP ACLEs present in the ACLE, and some primary group, local secondary group or foreign secondary group to which the PAC refers is equal to some group to which some GROUP_OBJ, GROUP or FOREIGN_GROUP refers.

 

/* GROUP_OBJ/GROUP's/FOREIGN_GROUP's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ,
     GROUP or FOREIGN_GROUP ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

OTHER_OBJ Subalgorithm

This subalgorithm is invoked when the PAC matches the ACL's OTHER_OBJ ACLE, in the following sense. There is an OTHER_OBJ ACLE present in the ACL (there can be at most one), and the cell to which the PAC refers is equal to the cell to which the ACL refers.

 

/* OTHER_OBJ subalgorithm */
if ((permission is granted by OTHER_OBJ ACLE)
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

FOREIGN_OTHER Subalgorithm

This subalgorithm is invoked when the PAC matches one of the ACL's FOREIGN_OTHER ACLEs, in the following sense (at most one ACLE can be matched). There are (one or more) FOREIGN_OTHER ACLEs present in the ACL, and the cell to which the PAC refers is equal to the cell to which some FOREIGN_OTHER ACLE refers.

 

/* FOREIGN_OTHER's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

ANY_OTHER Subalgorithm

This subalgorithm is invoked when the PAC matches the ACL's ANY_OTHER ACLE, in the following sense. There is an ANY_OTHER ACLE present in the ACL (there can be at most one), and none of the preceding subalgorithms has been invoked. That is, every PAC "matches" the ANY_OTHER ACLE (if it is present), including a NULL PAC (which is considered to be "unauthenticated").

 

/* ANY_OTHER subalgorithm */
if ((permission is granted by ANY_OTHER ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

Intermediary Subalgorithms

USER_OBJ_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches the ACL's USER_OBJ_DEL ACLE, in the following sense. There is a USER_OBJ_DEL ACLE present in the ACL (there can be at most one, by POSIX-allowable delegation extensions to Common ACLs ), and the principal to which the EPAC refers is equal to the principal to which the USER_OBJ_DEL refers.

 

/* USER_OBJ_DEL subalgorithm */
if ((permission is granted by USER_OBJ_DEL ACLE)
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

USER_DEL/FOREIGN_USER_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches one of the ACL's USER_DEL or FOREIGN_USER_DEL ACLEs, in the following sense (at most one ACLE can be matched). There are (one or more) USER_DEL and/or FOREIGN_USER_DEL ACLEs present in the ACL, and the principal to which the EPAC refers is equal to the principal to which some USER_DEL or FOREIGN_USER_DEL ACLE refers.

 

/* USER_DEL's/FOREIGN_USER_DEL's subalgorithm */
if ((permission is granted by matched USER_DEL or FOREIGN_USER_DEL ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

GROUP_OBJ_DEL/GROUP_DEL/FOREIGN_GROUP_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches any of the ACL's GROUP_OBJ_DEL, GROUP_DEL or FOREIGN_GROUP_DEL ACLEs, in the following sense (one or more ACLEs can be matched). There are (one or more) GROUP_OBJ_DEL, GROUP_DEL and/or FOREIGN_GROUP_DEL ACLEs present in the ACLE, and some primary group, local secondary group or foreign secondary group to which the EPAC refers is equal to some group to which some GROUP_OBJ_DEL, GROUP_DEL or FOREIGN_GROUP_DEL refers.

 

/* GROUP_OBJ_DEL/GROUP_DEL's/FOREIGN_GROUP_DEL's subalgorithm */
if ((permission is granted by (at least one) matched GROUP_OBJ_DEL,
     GROUP_DEL or FOREIGN_GROUP_DEL ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

OTHER_OBJ_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches the ACL's OTHER_OBJ_DEL ACLE, in the following sense. There is an OTHER_OBJ_DEL ACLE present in the ACL (there can be at most one), and the cell to which the EPAC refers is equal to the cell to which the ACL refers.

 

/* OTHER_OBJ_DEL subalgorithm */
if ((permission is granted by OTHER_OBJ_DEL ACLE)
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

FOREIGN_OTHER_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches one of the ACL's FOREIGN_OTHER_DEL ACLEs, in the following sense (at most one ACLE can be matched). There are (one or more) FOREIGN_OTHER_DEL ACLEs present in the ACL, and the cell to which the EPAC refers is equal to the cell to which some FOREIGN_OTHER_DEL ACLE refers.

 

/* FOREIGN_OTHER_DEL's subalgorithm */
if ((permission is granted by matched FOREIGN_OTHER_DEL ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

ANY_OTHER_DEL Subalgorithm

This subalgorithm is invoked when the EPAC matches the ACL's ANY_OTHER_DEL ACLE, in the following sense. There is an ANY_OTHER_DEL ACLE present in the ACL (there can be at most one), and none of the preceding subalgorithms has been invoked. That is, every EPAC "matches" the ANY_OTHER_DEL ACLE (if it is present), including a NULL EPAC (which is considered to be "unauthenticated").

 

/* ANY_OTHER_DEL subalgorithm */
if ((permission is granted by ANY_OTHER_DEL ACLE)
&&  MASK_OBJ-TEST-OK
&&  AUTHENTICATION-TEST-OK) {
        GRANT access;
} else {
        DENY access;
}

Please note that the html version of this specification may contain formatting aberrations. The definitive version is available as an electronic publication on CD-ROM from The Open Group.

Contents

Next section

Index