[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Permission models

On Tue, Aug 20, 2002 at 02:21:10PM -0500, Tom Hart wrote:
> Lionel Elie Mamane wrote:

>> More importantly, I don't see many programs that rely on the Unix
>> security model. What interactions does a typical program have with
>> the security model:

>> The user requests some action (e.g. open a file). It fails, because
>> it is not authorised. Report it to the user. What does an ACL-based
>> system change there? The program doesn't care why exactly the
>> action is not authorised.

> Say there's a file on a GNU/Hurd box called /home/tom/foo.bar, whose 
> standard UN*X permissions are wrxwrx---. Futhermore, say there's an ACE 
> on it that explicitly grants user Lionel read permissions. Would an 
> unmodified UN*X program see this ACE,

No,

> and let you read my file?

Yes. Programs typically just try to do something, without trying to
predict beforehand if the user is authorised to do that. They'll get
an error back from the system if, for whatever reason, the action is
not possible. I don't see why an editor would try to predict if it can
read a file. Just try, and treat the error you get, if you get one.

The only exceptions I see is:

 - programs that run as one user, but provide services to another
   user. These might do some "prediction work": Does the user I'm
   serving has permission to do that?

   But then, having the Unix permission system re-implemented in each
   application is IMHO not the right way to do this. Either use
   the "access" system call, or fork, setuid, and try to do the thing
   in question, if it has to be performed.

   example: slocate

 - programs that do sanity checks on permissions of some files, like
   gnupg on the secret key ring, and such.


I still think that with a decent mapping from ACL's to Unix permission
bits, these programs will perform decently, if not entirely correctly.

> I'm assuming that most UN*X programs check the file permission bits
> set by the filesystem, which has to do with the implementation of
> ext{2,3}fs, ufs, etc., right?

I'm pretty sure most programs don't: Just try to do whatever you want
to, and react appropriately if it fails.

> Such programs would use some sort of "standard UN*X" <--> ACL
> translation library, I believe.

Yes, the libc :) It is supposed to give an Unix interface, and this
includes permission bits.

Won't work for programs that touch permissions, like file managers,
though. They need to access the ACL interface directly.

-- 
Lionel

Attachment: pgpVHuCPsTjcF.pgp
Description: PGP signature

Reply to: