blob: 2d6084bf38e76f69ad927c1f3a50b2df59c02588 (plain
[[!meta copyright="Copyright © 2007, 2008 Free Software Foundation, Inc."]]
[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
id="license" text="Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license
is included in the section entitled
[[GNU Free Documentation License|/fdl]]."]]"""]]
UIDs on the Hurd are separate from processes. A process has
[[capabilities|capability]] designating so-called UID vectors that
are implemented by an [[translator/auth]] server. This
makes them easily [[virtualizable|virtualization]].
When a process wishes to gain access to a resource provided by a third
party (e.g., a file system) and that party wishes to authenticate the client
so as to implement some identity-based access control ([[IBAC]]) policy,
the latter initiates a three-way authentication handshake. The server
and client each then begin an authentication sequence with
their respective [[trust]]ed auth servers. If they have
a mutally trusted ancestor and an auth server does not abort the
transaction, then the client is delivered a new capability
naming a newly authenticated session with the server
and the server is delivered the client's designated UID vector.
For more details, see section 2.3 of the [[critique]].