From: ao@morpork.shnet.org (A. Ott)
Subject: 1.0.9 progress
Date: 23 Jul 1999 08:55:00 +0200
Next Article (by Author): Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: access control projects ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]
Hi all!
Things are moving on fast again.
In progress:
- RC model fairly changed (thanks to Simone):
- Role-Type compatibility vectors have been replaced by matrices, the
extra dimension being request type. In other words: You can now define
role-to-type compatibilities separately for every request type,
like process in role A may access object of type B with request type
C. For A use any defined role, for B any defined object type and for C
any RSBAC request type, e.g. READ_OPEN.
- Forced roles for programs will extend beyond a CHANGE_OWNER on process
(setuid), but of course not beyond a new EXECUTE
- Request groups R (read accesses), RW (read- and write-accesses),
SY (system accesses, e.g. MOUNT) and SE (security accesses, e.g.
SET_ATTRIBUTE) have been defined and can be used for compatibility
settings. Sure the addition of all groups results in a set of all
requests.
- Unfortunately there can be no automatic update for existing role
definitions from 1.0.8, but type entries are kept.
- If a process creates a new object (file/dir/ipc/process), it needs
CREATE right for its rc_def_xxx_create_type (the type of the new
object)
- New Access Control List (ACL) model:
- Every object (file, dir, dev, ipc, scd, process) has an ACL
- ACL entries contain a subject ID and a bitvector of allowed
requests. Additionally, special rights like 'access control' and
'forward own rights to others' will be included.
- Subjects are grouped in user IDs, RC roles and ACL user groups. (The
latter might not yet be in the 1.0.9 final release)
- A special entry 'everyone' can be used to address all users
- If there is no ACL entry for a subject at an object, the object's
parent object is used (probably only for files and dirs)
- The topmost parent of all objects is an object type specific default
ACL, which can be changed as usual
- If there is no matching entry in the default ACL, a default rights
vector for this object type is used. This vector might also be
configurable, but will default to 0.
So you see, there is some interesting new stuff coming up. The RC changes
are nearly finished, and as soon as RC works fine and ACL is in a
buildable (though still disfunctional) state again, you will see a new pre-
version on the net.
Amon.
--
## CrossPoint v3.11 ##
-
To unsubscribe from the rsbac list, send a mail to
majordomo@morpork.shnet.org with
unsubscribe rsbac
as single line in the body.
Next Article (by Author): Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Previous Article (by Author): Re: access control projects ao@morpork.shnet.org (A. Ott)
Next in Thread: Re: 1.0.9 progress ao@morpork.shnet.org (A. Ott)
Articles sorted by: [Date]
[Author]
[Subject]