Manualshelf

OSF DCE Application Development Guide--Introduction and Style Guide

ManualsBrandsHP ManualsServerHP NonStop G-Series
919293949596979899100
Security
There are two levels of semantics/policy to be considered here. One is the semantics of
privilege attributes, for which we specify a strict (POSIX compliant) policy in the form
of an access checking algorithm. This is embodied in the default access checking
algorithm provided by the ACL library. The second is the semantics of permissions.
Ultimately these depend on the ACL manager and the kinds of objects it protects.
However, some recommendations for keeping permissions as intuitive and consistent
across applications as possible are offered in the following subsection.
3.4.2.1 Permissions Semantics Recommendations
The basic model used for access checking is to iterate through a sequence of ACL
privilege attribute entries for each member of the requested permissions set, looking for
the first match with a privilege attribute (and possibly ANDing the result with the
appropriate ACL mask entries (mask_obj and unauthenticated). Entry types are checked
in essentially the following order:
[user_obj]
user
foreign_user
[group_obj], group, foreign_group
other_obj
foreign_other
any_other
In actual practice, the bracketed [user_obj] and [group_obj] entry types are ignored by
the access checking algorithm implemented by the DCE ACL library. The reasons for
this will be explained shortly. The access check is made at the first match, effectively
giving precedence to the most specific match. The group entries are unordered so the
match is made against the union of all group entries. This precedence allows explicit
inclusion and exclusion of permissions depending on whether a more restrictive set of
permissions is matched before or after a less restrictive set.
Except for the user_obj and group_obj entry types, the ACL entry types have semantics
clearly defined according to the specificity and the cell of the principals referred to. In
the local cell, user is the most specific, referring to some specific local principal. The
group entry type refers to a specific set of principals. The other_obj type refers to other
local principals not accounted for by user and group entries.
The user and group entries are extended to foreign cells by foreign_user and
foreign_group. These are user and group identifiers that include a cell name. Strictly
speaking, this distinction between the local and foreign cells is not required, since user
and group entries implicitly contain global names (that is, the global name of the local
cell is implicitly known.) The user and group entries are therefore really an
implementation convenience for principals and groups in the local cell.
The other_obj entry is extended by foreign_other, which is a list of cell names.
124246 Tandem Computers Incorporated 3 21