On Tue, Aug 20, 2002 at 02:21:10PM -0500, Tom Hart wrote: > Lionel Elie Mamane wrote: >> More importantly, I don't see many programs that rely on the Unix >> security model. What interactions does a typical program have with >> the security model: >> The user requests some action (e.g. open a file). It fails, because >> it is not authorised. Report it to the user. What does an ACL-based >> system change there? The program doesn't care why exactly the >> action is not authorised. > Say there's a file on a GNU/Hurd box called /home/tom/foo.bar, whose > standard UN*X permissions are wrxwrx---. Futhermore, say there's an ACE > on it that explicitly grants user Lionel read permissions. Would an > unmodified UN*X program see this ACE, No, > and let you read my file? Yes. Programs typically just try to do something, without trying to predict beforehand if the user is authorised to do that. They'll get an error back from the system if, for whatever reason, the action is not possible. I don't see why an editor would try to predict if it can read a file. Just try, and treat the error you get, if you get one. The only exceptions I see is: - programs that run as one user, but provide services to another user. These might do some "prediction work": Does the user I'm serving has permission to do that? But then, having the Unix permission system re-implemented in each application is IMHO not the right way to do this. Either use the "access" system call, or fork, setuid, and try to do the thing in question, if it has to be performed. example: slocate - programs that do sanity checks on permissions of some files, like gnupg on the secret key ring, and such. I still think that with a decent mapping from ACL's to Unix permission bits, these programs will perform decently, if not entirely correctly. > I'm assuming that most UN*X programs check the file permission bits > set by the filesystem, which has to do with the implementation of > ext{2,3}fs, ufs, etc., right? I'm pretty sure most programs don't: Just try to do whatever you want to, and react appropriately if it fails. > Such programs would use some sort of "standard UN*X" <--> ACL > translation library, I believe. Yes, the libc :) It is supposed to give an Unix interface, and this includes permission bits. Won't work for programs that touch permissions, like file managers, though. They need to access the ACL interface directly. -- Lionel
Attachment:
pgpVHuCPsTjcF.pgp
Description: PGP signature