Ambient authority
From Erights
Contents |
Draft Definition
A subject may have several different permissions. Ambient authority is authority that can be used without having to identify which specific permission is required. In an ambient authority system, when a subject requests an action (typically by naming an object and an operation on that object), the action is allowed if the subject has any permission for the action.
In contrast, in a designated authority system, a subject explicitly identifies a subset (usually one) of its permissions, and the action is allowed only if permitted by that subset of permissions.
In an ambient authority system, often there is no way to identify a specific permission, so there is no concept of having different permissions.
Comment
Several access control models were invented and implemented to enable restriction of ambient authority of subjects. Many of them are:
- either weak (we cannot follow the principle of least authority)
- or convoluted (it is hard to learn how to work with this model and be sure about authority of subjects).
Things become more "interesting" if we have to consider different security policies enforced via different alternative security mechanisms for the same type of objects and for different type of objects and the relevant transitivity relationship.
Examples of ambient authority
All UNIX processes run by some user have ambient authority to manipulate all files owned by that user.
All UNIX processes have ambient authority to listen to TCP or UDP ports 1024--65535.
All UNIX processes have ambient authority to send any signal to any other UNIX process.
Acknowledgement
The term ambient authority was coined by Dean Tribble and Mark S. Miller.
