OSF DCE Application Development Guide--Core Components
The Extended Privilege Attribute API
Note that ACLs on objects that are targets of impersonation need list only the
delegation initiator, not each delegate in the chain.
Generally, traced delegation is the preferred method. The high degree of location
transparency inherent in simple delegation greatly increases the risk of a client being
compromised by a Trojan horse application.
When server principals run the sec_login_become_delegate() or
sec_login_become_impersonator() call to become an intermediary in a delegation
chain, they must also specify the delegation type as input to the call. The type they
specify must be the same type as the delegation type specified by the initiator of the
chain (unless they specify no delegation).
26.2.2 Target and Delegate Restrictions
When a principal enables delegation or becomes an intermediary in a delegation chain,
the principal may specify target and delegate restrictions. Target restrictions identify the
server principals (by UUID) to which the identities in a delegation chain can be
projected. Delegate restrictions identify the server principals that can further project the
delegation chain.
If a target restriction prohibits a server from seeing an indentity in a delegation chain, the
security runtime replaces that identity with the identity of the anonymous principal.Ifa
delegate restriction prohibits a principal from being an intermediary in a chain, then the
security runtime replaces that principal’s identity with the identity of the anonymous
principal. This replacement with the anonymous identity allows the authenticated RPC
call to complete. Whether the operation requested by the delegation chain is performed
can be controlled by ACL entries that grant permission to the anonymous principal on
the objects that are the targets of the delegated operation.
If no delegate restrictions are supplied, any principal can be an intermediary in the
delegation chain. If any delegate restrictions are supplied, then only those supplied can
further transmit the delegation chain.
Note: In the current release of DCE, there is no way for a server to register its
DCE credentials with the RPC runtime. Only a server name and key table
can currently be registered. Because of this limitation, target restrictions
are currently implemented so that all target servers see anonymous
credentials for any EPAC that contains any target restriction regardless of
the identity specified in the restriction.
26.2.2.1 The Anonymous Principal
The DCE Security Service replaces those identities in the delegation chain that are not
allowed to be seen by target or delegate restrictions with the UUIDs associated with the
anonymous principal’s identity. These UUIDs are as follows:
124245 Tandem Computers Incorporated 26−5