Privilege Determination and Privilege Inheritance



next up previous contents
Next: Mandatory Access Control Up: Privilege Previous: Privileges and Interfaces

Privilege Determination and Privilege Inheritance

The set of privileges that are associated with a process that is executing a file may be revoked, inherited, or absolutely granted. This is all dependent of the value(s) of the file privilege state of the file, and the process privilege state of the previous process image. The process privilege state of a file is defined by the set of process privilege flags associated with a process. The process privilege flags defined by the POSIX.6 standard are permitted, effective, and inheritable. These flags apply to each privilege separately. (That is, a privilege may have some combination of these flags associated with it.) A process can exercise a particular privilege only when the privilege's effective flag is set. This flag is the only flag evaluated when determining if a process has appropriate privilege.

A process shall be able to set all the process flags for a particular privilege if the permitted flag for that privilege is set. This flag is used to determine whether the effective flag for the privilege will be set, and hence the privilege exercised.

A privilege can be passed on to the next process image only if the inheritable flag is set. Whether the inheritance is allowed depends on the file privilege state defined below.

File privilege flags are associated with files. A set of these is applied to each privilege. The POSIX.6 standard defines two privilege flags: allowed and forced. The allowed flag permits the privilege to be passed to the next process image depending on the process flag for the previous process. When the allowed flag is set, and the inheritable flag is set for the previous process, then the next process image will have the permitted flag set for that privilege.

The forced flag of the file privlege flags allows the privilege to be passed on to the next process image regardless of the previous process image flags or the allowed flag. The process privilege flag for the particular privilege in the new process image automatically becomes permitted.

The last category of defined privilege information is the file privilege attributes. The POSIX.6 standard defines these as values associated with a file that apply to all the privileges defined. There is a single file privilege attribute defined: set_effective. This flag is used by the exec() function to determine which privileges associated with the new process image will be set to effective (and thus possess appropriate privilege).

When a new process is created by the fork() call, the privilege state of the new process is the same as the previous process. When a new process is created by exec(), the following algorithm is used to determine the privilege state of the new process image. This algorithm is applied to each privilege that has its permitted flag set in the current process image.

The algorithm described above provides the new process image with a set of privileges, each with their permitted flags set. This means that these privileges have the potential to become effective, and thus can be exercised. The factor that determines if these privileges become effective or not is the file privilege attribute: set_effective. If the set-effective attribute of the process file is set, then the effective flag for each of these privileges is set. A process can then exercise appropriate privilege when the privileges that are effective are called for.

Using the mechanism described above, privileges can be revoked (if the inheritable flag is not set), inherited (if the inherited flag and the allowed flag are set), and forced (if the forced flag is set). This capability enables the features described earlier (granularity of privilege, time bounding of privilege, and inheritance of privilege), to be implemented and used on a system. The POSIX.6 defined interfaces allow applications to make calls to use the mechanism to enforce the least privilege principle.

The interfaces specified to obtain, manipulate and set the privileges of a process privilege state or a file privilege state follow the model of using opaque data objects. First a call is made to obtain (read) the privilege state of a file or process. If necessary, working storage is used, the privilege state is read into working storage, and a pointer to the object in working storage is returned. ``Get'' and ``set'' interfaces are then used to manipulate the specifics of the privilege state. When finished, the privilege state that is to be associated with a process or file is written to the process privilege state or the file privilege state, respectively.



next up previous contents
Next: Mandatory Access Control Up: Privilege Previous: Privileges and Interfaces



John Barkley
Fri Oct 7 16:17:21 EDT 1994