Ambient authority
From Erights
(I've added one new (as I assume relevant) entry in the "Notes" section that further clarifies the notion of "ambient authority".) |
(Section "Notes" was renamed to "Notes concerning the definition".) |
||
Line 5: | Line 5: | ||
IF a subject requests an action, typically by naming an object and an operation on that object, and the action is allowed because the subject has a permission that would allow the action, THEN we say that the subject has '''ambient authority'''. | IF a subject requests an action, typically by naming an object and an operation on that object, and the action is allowed because the subject has a permission that would allow the action, THEN we say that the subject has '''ambient authority'''. | ||
- | == Notes == | + | == Notes concerning the definition == |
Instead of "naming" an object, capability community often uses the term "designation" of an object. | Instead of "naming" an object, capability community often uses the term "designation" of an object. |
Revision as of 07:00, 19 June 2009
The correct interpretation of this page relies on proper interpretation of words: subject, object, operation and permission.
Contents |
Definition
IF a subject requests an action, typically by naming an object and an operation on that object, and the action is allowed because the subject has a permission that would allow the action, THEN we say that the subject has ambient authority.
Notes concerning the definition
Instead of "naming" an object, capability community often uses the term "designation" of an object.
Whether we can say that some chosen subject has ambient authority or not is solely determined by the fact HOW are operations allowed or denied. It is independent from the fact WHAT PERMISSIONS a given subject actually has. This matters in case of a term excess authority.
In contrast, in a designated authority system, a subject explicitly identifies a subset (usually one) of its permissions, and the action is allowed only if permitted by that subset of permissions.
In an ambient authority system, a subject making a request does not specify which permission to use -- the subject does not identify which permission is claimed to justify allowing the request. Instead, the system looks through all of the subject's permissions and allows the request if any of the subject's permissions would justify allowing the request.
In an ambient authority system, a subject may have many permissions, and there is often no way for the subject to single one of these out. As a result, in these systems, developers may not think of the subject as having multiple different permissions at once; instead, developers might just associate the union of all those permissions with the subject, and call them the permissions of the subject.
Examples of ambient authority
All UNIX processes run by some user have ambient authority to manipulate all files owned by that user.
All UNIX processes have ambient authority to listen to TCP or UDP ports 1024--65535.
All UNIX processes have ambient authority to send any signal to any other UNIX process.
Acknowledgement
The term ambient authority was coined by Dean Tribble and Mark S. Miller.