|
|
The Access Control mechanisms are those parts of the system that administer and enforce Discretionary Access Control (DAC) in accordance with the security policy. The access control subsystem also contains the auditing mechanism.
The kernel performs a DAC check every time a subject attempts to open an object for access.
The subject, a process, has a user ID and a primary group ID (and possibly supplementary group IDs) associated with it. The object has a set of permissions, including permission bits, and, possibly, an Access Control List (ACL).
A DAC check is performed to determine if the process requesting access to a file has permission to access the file in the mode (read, write, and/or execute/search) requested. Each access mode requested is checked separately according to the steps in the algorithm that follows:
if effective uid of process matches owner id on object if requested access mode matches bits set in the permission bits representing permissions for the owner then the requested access is grantedelse if any group in the group set of process matches the owner gid if requested access mode matches bits set in the permission bits representing permissions for the owning group and matches bits set in the class entry then the requested access is granted
else if requested access mode matches a bit set in the permission bits representing permissions for others then the requested access is granted else the requested access is denied
These checks are performed on every component of the pathname, including the object itself.