From Erights

Definition

If a subject can operate on all objects of a given type, we say that it has ambient authority.

Comment

Several access control models were invented and implemented to enable restriction of ambient authority of subjects. Many of them are:

• either weak (we cannot follow the principle of least authority)
• or convoluted (it is hard to learn how to work with this model and be sure about authority of subjects).

Things become more "interesting" if we have to consider different security policies enforced via different alternative security mechanisms for the same type of objects and for different type of objects and the relevant transitivity relationship.

Examples of ambient authority

If we consider files owned by some UNIX user as objects and UNIX processes as subjects then all processes have ambient authority to manipulate all those files.

If we consider TCP ports 1024--65535 as objects and and UNIX processes as subjects then all processes have ambient authority to listen to any ports.

If we consider all executable programs owned by some UNIX user as objects and all UNIX processes as run by the same user as subjects then all these processes have ambient authority to run any of those programs.

If we consider all functions defined in some C program as subjects and all functions in the same C program as objects then any function has ambient authority to call any other function (in C we can cast any integer to a function pointer and perform the call operation with this forged reference to a function).

If we consider all functions defined in some C program as subjects and all regions of the address space of the relevant process as objects then all these functions have ambient authority to read from or write to any such memory region.