DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Introduction to security

Access control

The Access Control mechanisms are those parts of the system that administer and enforce Discretionary Access Control (DAC) in accordance with the security policy. The access control subsystem also contains the auditing mechanism.

DAC checking algorithm

The kernel performs a DAC check every time a subject attempts to open an object for access.

The subject, a process, has a user ID and a primary group ID (and possibly supplementary group IDs) associated with it. The object has a set of permissions, including permission bits, and, possibly, an Access Control List (ACL).

A DAC check is performed to determine if the process requesting access to a file has permission to access the file in the mode (read, write, and/or execute/search) requested. Each access mode requested is checked separately according to the steps in the algorithm that follows:

   if effective uid of process matches owner id on object
       if requested access mode matches bits set in
          the permission bits representing permissions for the owner
           then the requested access is granted
   

else if any group in the group set of process matches the owner gid if requested access mode matches bits set in the permission bits representing permissions for the owning group and matches bits set in the class entry then the requested access is granted

else if requested access mode matches a bit set in the permission bits representing permissions for others then the requested access is granted else the requested access is denied

These checks are performed on every component of the pathname, including the object itself.


Next topic: How system architecture relates to security
Previous topic: System services

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 22 April 2004