Paul B. Henson wrote: > Sweet. Might I request an acl evaluation function? Which basically, given a > user and a requested permission, returns either true (user has permission), > false (user doesn't have permission), or error condition. Similar to the > POSIX access() call, but for ACLs. If I had that I wouldn't need to be > mucking around with the ACL directly at all :), as that's basically what > I'm implementing...
You need to understand though that access(2) and any equivalent function that evaluates an ACL is NOT authoritative. The only way to get an authoratative answer is to actually try the operation. In privileged programs you must be careful that you do not introduce "Time Of Check To Time Of Use" security vulnerabilities when using functions like access(2). Only the kernel should make the access control decision and use of functions like access(2) should generally only be used to assist in providing a more informative error message. The reason for this is is that it is not just the evaluation of the ACL/permission as that user that determines the final result. Other things can impact it as well - for example the Trusted Extensions mandatory access label (ie a zone) and in the future the FMAC[1] security context. As long as you take that into account a function to evaluate access control can be used safely. [1] http://opensolaris.org/os/project/fmac/ -- Darren J Moffat _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
