Discretionary Access Algorithm
Next: Discretionary Access Control
Up: Discretionary Access Control
Previous: Access Control Lists
A process may request to read a file, write to a file, or execute/search
a file. To determine this access, the POSIX.6 defined algorithm is
applied to the ACL of the file. In general terms, the access check
is performed on the ACL entries in
the following order:
- as the file owner.
- as a named user.
- as belonging to the owning group, together with any named groups.
- as belonging in any named groups.
- as other.
When a match on one of these
is made, the ACL is no longer searched, and the granted or denied
permissions are in effect. For example, if a user is specified as a named
user, and all permissions in the entry are set to deny access to that
user, the user is denied access. The groups the user may belong to are not
checked to see if the user may have access through the groups' permissions.
The algorithm (somewhat
simplified here) is as follows:
- If the user requesting access is the file owner, and the requested
mode is granted by the ACL entry, then access is granted: else access is
denied.
- If the user is a named user in the ACL, and the requested mode is
granted by the ACL entry, then access is granted: else access is denied.
- If the user is in the owning group of the file, or is a member of
any named groups, and the requested access mode is granted by the
ACL entry of the owning
group or the ACL entry of any of these named groups, then access is granted:
else access is denied.
- If the user is a member of any of the named groups, and the requested
access mode is granted by the ACL entry of any of these named groups, then
access is granted: else access is denied.
- If the requested access mode is granted by the ``other'' entry, then
access is granted: else access is denied.
Next: Discretionary Access Control
Up: Discretionary Access Control
Previous: Access Control Lists
John Barkley
Fri Oct 7 16:17:21 EDT 1994