If the process is neither the owner nor a member of an appropriate group, and the permission bits for world allow the type of access requested, then the subject is permitted access.

If none of the conditions above are satisfied, and the effective UID of the process is not zero, then the access attempt is denied.

5.1.5.2Access Control Lists

The ext3 file system supports Access Control Lists (ACLs) that offer more flexibility than the traditional permission bits. An ACL can enforce specific access rights for multiple individual users and groups, not just for the single user and group defined for permission-bit based access control.

The ext3_check_acl() function checks if an object has an associated ACL. If it does not have one, the system uses the standard permission bits algorithm as described in the previous section.

If the file system object has an associated ACL, the kernel calls the posix_acl_permission() function to enforce POSIX ACLs. ACLs are created, maintained, and used by the kernel. For more detailed information about the POSIX ACLs, refer to the http://acl.bestbits.at and http://wt.xpilot.org/publications/posix.1e sites.

An ACL entry contains the following information:

A type of tag that specifies the type of the ACL entry.

A qualifier that specifies an instance a type of an ACL entry.

A permission set that specifies the discretionary access rights for processes identified by the tag type and qualifier.

5.1.5.2.1Types of ACL tags

The following types of tags exist:

ACL_GROUP: This type of ACL entry defines access rights for processes whose file system group ID or any supplementary group IDs match the one in the ACL entry qualifier.

ACL_GROUP_OBJ: This type of ACL entry defines access rights for processes whose file system group ID or any supplementary group IDs match the group ID of the group of the file.

ACL_MASK: This type of ACL entry defines the maximum discretionary access rights for a process in the file group class.

ACL_OTHER: This type of ACL entry of this type defines access rights for processes whose attributes do not match any other entry in the ACL.

ACL_USER: An ACL entry of this type defines access rights for processes whose file system user ID matches the ACL entry qualifier.

ACL_USER_OBJ: An ACL entry of this type defines access rights for processes whose file system user ID matches the user ID of the owner of the file.

5.1.5.2.2ACL qualifier

The qualifier is required for the ACL_GROUP and ACL_USER ACL types of entries, and contain either the user ID or the group ID for which the access rights are defined.

48

Page 59 Page 61
Page 60
Image 60
IBM 10 SP1 EAL4 manual Access Control Lists, Types of ACL tags, ACL qualifier
Page 59 Page 61
Top Page Image Contents