IBM 10 SP1 EAL4 User Manual
•
If the process is neither the owner nor a member of an appropriate group, and the permission bits for
world allow the type of access requested, then the subject is permitted access.
world allow the type of access requested, then the subject is permitted access.
•
If none of the conditions above are satisfied, and the effective UID of the process is not zero, then the
access attempt is denied.
access attempt is denied.
5.1.5.2 Access Control Lists
The ext3 file system supports Access Control Lists (ACLs) that offer more flexibility than the traditional
permission bits. An ACL can enforce specific access rights for multiple individual users and groups, not just
for the single user and group defined for permission-bit based access control.
The ext3_check_acl() function checks if an object has an associated ACL. If it does not have one, the
permission bits. An ACL can enforce specific access rights for multiple individual users and groups, not just
for the single user and group defined for permission-bit based access control.
The ext3_check_acl() function checks if an object has an associated ACL. If it does not have one, the
system uses the standard permission bits algorithm as described in the previous section.
If the file system object has an associated ACL, the kernel calls the posix_acl_permission() function
If the file system object has an associated ACL, the kernel calls the posix_acl_permission() function
to enforce POSIX ACLs. ACLs are created, maintained, and used by the kernel. For more detailed
information about the POSIX ACLs, refer to the
information about the POSIX ACLs, refer to the
An ACL entry contains the following information:
•
A type of tag that specifies the type of the ACL entry.
•
A qualifier that specifies an instance a type of an ACL entry.
•
A permission set that specifies the discretionary access rights for processes identified by the tag type
and qualifier.
and qualifier.
5.1.5.2.1 Types of ACL tags
The following types of tags exist:
•
ACL_GROUP: This type of ACL entry defines access rights for processes whose file system group ID
or any supplementary group IDs match the one in the ACL entry qualifier.
•
ACL_GROUP_OBJ: This type of ACL entry defines access rights for processes whose file system
group ID or any supplementary group IDs match the group ID of the group of the file.
•
ACL_MASK: This type of ACL entry defines the maximum discretionary access rights for a process
in the file group class.
•
ACL_OTHER: This type of ACL entry of this type defines access rights for processes whose
attributes do not match any other entry in the ACL.
•
ACL_USER: An ACL entry of this type defines access rights for processes whose file system user ID
matches the ACL entry qualifier.
•
ACL_USER_OBJ: An ACL entry of this type defines access rights for processes whose file system
user ID matches the user ID of the owner of the file.
5.1.5.2.2 ACL qualifier
The qualifier is required for the ACL_GROUP and ACL_USER ACL types of entries, and contain either the
user ID or the group ID for which the access rights are defined.
48