![]() ![]()
Access
Road 0.7
|
|
About
the s
|
![]()
|
About
this guide
The Access Road documentation includes a first tutorial named 'one-hour tutorial for learning access controls'. It is recommended to read first the document, because it introduces the simulation of GNU/Linux Ubuntu®. It shows how to create an ACS for simulating this software. It demonstrates the learning capacities of Access Road through the example of the Linux umask function. More generally, it is recommended, to save time, to read first the 3 basic tutorials for Access Road. This short guide discusses the following issues about the simulation of GNU/Linux Ubuntu:
For the software developer, the reference documentation is the extended Javadoc documentation for Access Road. It includes a full description of this ACS add-on. This present documentation is published under a FDL license. |
|
The
simulated Linux rights
The Account/Group rights are the main tool for having rights in a GNU/Linux . The AclEntry may be used only into the authorization subACS. There are 6 types of GNU/Linux rights to simulate. They are presented hereinafter:
Into Unix and GNU/Linux, the directory rights have the file right names (r, w, x) , like the basic file rights names, but their meanings are very different! That is why the directory rights (rdir, wdir, xdir) are created in the Access Road simulation. We think this will help the user to better understand the effective rights. A right has an opposite to apply the rules of the umask feature. |
![]()
|
How
the Account/Group rights are managed in the file system
This ACS add-on complements the generic Account/Group rights with specific 'Other' rights. This is why the acronym 'AGO' rights is used for GNU/Linux Ubuntu. For the files, GNU/Linux Ubuntu combines the information about the Account/Group context of the right user, and the AGO rights of the target and its parents. In Access Road, the effective access rights on an Ubuntu Resource are selected by a two-steps process based on AG rights completed by the specific AGO Other rights of GNU/Linux Ubuntu. At the first step of the rights analysis, the AG inherited rights on the target are considered. The Account/Group context of the right user is used to set if the AGO rights of each target parent allow an access to the target. If not, there is no rights at all. At the second step of the rights analysis, the Account rights of the target are applied first, if the target Account is in the Account/Group context of the right user. Otherwise, the Group rights of the target are tried, and if the Group does not match, the 'AGO Other' rights are always applied. Indeed, this sequence (Account, then Group, then Other) is also relevant in the first step, for the AG inherited rights. Enforcing the order of rights (Account, then Group, then Other) in all cases is indeed an important feature of the ACS add-on. This may lead to delete some access paths the generic search has found. How the inherited AGO rights works The tab 'AG Inheritance' is the main panel to be informed about the inherited AGO rights issues for a Resource. The child inherited rights come from the AG directory rights, and they are applied to all the children. This is a generic Access Road feature, based on a pattern 'directory/child' in the generic right names. For instance, the generic right 'write_for_nxdirectory' has the image 'write_for_nxchild' which has the lower rights 'createchild' and 'deletechild'. These rights as arguments produce, through a generic method, the children rights 'create' and 'delete'. By this way, the true meaning of the rights are enforced for the GNU/Linux Ubuntu ACS. There is no way to use the generic rights 'xxxchild' as effective rights on a Resource. They are just the intermediate values for the processing, and they are desactivated. The generic right 'full_control' has a dedicated processing since it has two images 'full_controlchild' and 'full_controlnxchild', which works as the sum of the images 'read_for_child' and 'write_for_child' for the first image, and 'read_for_child', 'write_for_nxchild' and 'execute_for_nxchild' for the second image. It is the same way for 'deny_all' and its two images 'deny_allchild' and 'deny_allnxchild'. ®All trademarks are property of their respective holders. Copyright ACCBEE – 22 February 2012 |
|