[rsbac] ACL changes proposition
Amon Ott
ao at rsbac.org
Fri Sep 17 10:26:22 CEST 2004
On Mittwoch, 1. September 2004 21:23, Michal Purzynski wrote:
> i would like to propose small change in ACL
> for now having rule disalowing user from accesing some object it
does not
> mean that he will not be able to access it, because of inheritance
rules.
> why not change ACL is such a way, that if there is no access rule
> for subject to object, inheritance will step in (like it is now
<correct
> me>) but in case if we have this rule inheritance would not be taken
into
> account ?
> so as an example:
>
> user badcracker1 does not have any rules determinating his access to
file
> topsecret1, so ACL calculates them from inheritance
>
> but...
>
> if we have rule (dis)allowing access to topsecret file by user
badhacker1
> this rule is the _one_ and the _only_ rule determining his access to
that
> object, without inheritance.
>
> so generaly rule that is most tight gives out finally answer about
access
>
> it should be adopted to all of ACL subjects of course
We could have an option, which does not use inherited group or role
rights, if a user has an explicit ACL entry. However, this already
creates a problem with RC forced roles for daemons: In that case, we
want the role to be significant, not the user. As ACL administration
should be as group based as possible, returning to user entries is
not optimal.
Now let's consider that an explicit group ACL entry stops inheritance
for all group members: Then adding or removing a group member can
change the member's effective rights in an inconsistent way: User
based rights become dependent on group memberships.
So generally, I consider this idea as not ideal and would rather not
make the change.
> second thing (i am not conviced to it as i am to previous idea)
>
> if subject has access to /dir/file it is required to for him to have
> search (get_status_data also ?) access to /dir
> this way it can not get information about /dir content, but one
could
> 'poke' to gues what it contains.
> here my idea goes...
>
> if subject has access to /dir/file and not to /dir it _can_ go
throught
> /dir but only to /dir/file and not anything else in this dir.
This is the meaning of SEARCH: You can go through the dir to a file.
There is already a to-do list item to require SEARCH right on a file
to be able to see it, which should do most of what you are looking
for.
It might make administration a bit more complicated, but
implementation much easier: Lookup is a loop, which walks through the
path from top dir to the file.
Now, how should we determine the file's attributes to know if SEARCH
should be allowed, if we have not yet looked it up? We would have to
change the whole RSBAC logic for lookups from dir-by-dir to the
result only, and let the kernel cleanup all structures, if we deny
the lookup after all work has been done.
Amon.
--
http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22
-------------- nächster Teil --------------
Ein Dateianhang mit Bin?rdaten wurde geschreddert...
Dateiname : nicht verf?gbar
Dateityp : application/pgp-signature
Dateigr??e : 189 bytes
Beschreibung: signature
URL : http://www.rsbac.org/pipermail/rsbac/attachments/20040917/e3cb2452/attachment.bin
More information about the rsbac
mailing list