ACL evaluation: interaction between "best match" and privilege

Casey Schaufler casey at sgi.com
Fri Sep 22 16:42:27 GMT 2000 

Robert Watson wrote:
> 
> On Fri, 22 Sep 2000, Casey Schaufler wrote:
> 
> > If a system has audit (What? I though we we talking about ACLs.
> > Yes, we are. I said it was a systemic issue, didn't I? now be
> > patient) we want to record not only whether an operation
> > succeeded of failed, but why. Thus, I want to do a complete
> > access control check (in this case, completely resolve the ACL)
> > before I check for any capabilities. Why? so that I can mark
> > which capabilities are actually used in the audit record.
> > If I do capability checks first, or if I intermix them with
> > strict policy checking, that information can be incorrect.
> 
> I agree with this analysis, but it prompted my concern, as "best match"
> results in ambiguity about which privilege to use.
> 
> Suppose the request is for VREAD|VWRITE.  There are two matching group
> entries, one providing ACL_PERM_READ and one providing ACL_PERM_WRITE.
> The process also has CAP_DAC_READ_SEARCH and CAP_DAC_WRITE.  Which
> capability do I audit as used? :-)  There is no "best match", as both are
> best.  Right now, I do first match when falling back on privilege, but
> from the perspective of minimizing privilege used, it's not right unless
> you define your privilege minimalization function as first match :-).

Ugh. Reason number 806 to dislike ACLs.

There is no 100% defensable solution. Where were you when
we were writing this spec? We could have used your devious
viewpoints.

What I advocate, and I do this not because I think it's
right, but because it's fairly clean, is to fall out of
the ACL check with a failure and then require ALL capabilities
necessary to get the access be present. I suggest this in
the spirit of ACL entry non-combinability. I also think
that any other scheme leads to madness, or at least excessive
bookkeeping.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey at sgi.com				voice: 650.933.1634
casey_p at pager.sgi.com			Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list