Manualshelf

OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series
341342343344345346347348349350
OSF DCE Administration Guide—Core Components
The principal and each of the groups is represented by both a string name and a UUID.
The privilege attribute UUIDs are contained in the credentials that are used in
authenticated remote procedure calls (RPCs). Servers grant access based upon the
contents of credentials received in RPCs. Although servers typically reject
unauthenticated RPCs, any server can support a policy of accepting them. In that case,
the server’s ACL manager must support the unauthenticated mask ACL entry type so
that the server can further restrict the access granted to such unauthenticated clients.
When a principal requests access to a DCE object associated with an ACL, the object’s
ACL manager compares the UUIDs of the principal and any groups of which the
principal is a member (the principal’s privilege attributes) with the UUIDs of the
principals and groups listed in the ACL entry. It does this simply by reading through the
list of ACL entries. The manager grants the access permissions in the first ACL entry (or
entries in the case of groups) it finds that match any of the principal’s privilege
attributes. If the permissions in the matching entry allow the requested mode of access,
the principal gains access; if not, access is denied.
28.1.3 Credentials Inherited by Processes
Processes created or spawned by a principal inherit the principal’s credentials. For
example, if you log in, are authenticated, and start an application, the application you
start inherits your authenticated credentials and runs as though it were you. The
application’s permissions for any given object are the same as your permissions.
Processes spawned by the application carry your identity and pass it down to processes
they start.
Note: Changing the setuid permission bit changes only the local operating
system identity under which an executable file runs, not the network
identity.
Some servers are written to run as separate authenticated principals. For these servers,
the system administrator creates an account in the registry database. After you start
these servers, the server process authenticates with the registry, receives its credentials,
and runs under its own identity, not yours.
28.2 ACL Entries and Masks
ACL entries are of several different ACL entry types, each type being for a particular
purpose. All ACL entries are represented in a uniform list syntax.
28 4 Tandem Computers Incorporated 124243