|
|
The Access Control mechanisms are those parts of the system that administer and enforce Discretionary Access Control (DAC) in accordance with the security policy. The access control subsystem also contains the auditing mechanism.
The kernel performs a DAC check every time a subject attempts to open an object for access.
The subject, a process, has a user ID and a primary group ID (and possibly supplementary group IDs) associated with it. The object has a set of permissions, including permission bits, and, possibly, an Access Control List (ACL).
A DAC check is performed to determine if the process requesting access to a file has permission to access the file in the mode (read, write, and/or execute/search) requested. Each access mode requested is checked separately according to the steps in the algorithm that follows:
if effective uid of process matches owner id on object
if requested access mode matches bits set in
the permission bits representing permissions for the owner
then the requested access is granted
else if any group in the group set of process matches the owner gid
if requested access mode matches bits set in
the permission bits representing permissions for the owning group
and matches bits set in the class entry
then the requested access is granted
else if requested access mode matches a bit set in the
permission bits representing permissions for others
then the requested access is granted
else the requested access is denied
These checks are performed on every component of the pathname, including the object itself.