- Ambient authority
A computer program is said to use ambient authoritywhen it designates permissionsthat it wishes to exercise from a global namespace.The authority is "ambient"in the sense that it exists in a broadly visible environmentwhere others can request it by name.A
computer security model is said to have ambient authorityif it provides access to protected resources in this fashion.For example,suppose a C program opens a file for read access by executing the call:
open("filename", O_RDONLY, 0)
The desired file is designatedby its name on the filesystem,which is a global namespace shared with other programs,so the program is exercising ambient authority.
When ambient authority is requested,permissions are granted or deniedbased on one or more global properties of the executing program,such as its "identity" or its "role".In such cases,the management of
access control is handled separatelyfrom explicit communicationto the executing program or process,through means such asaccess control list s associated with objectsor throughRole-Based Access Control mechanisms.The executing program has no means to determinefor what purpose it was granted a permission.This inevitably leads to such programsbeing subject to theConfused deputy problem .The term "ambient authority" is used primarilyto contrast with
object-capability model sor simplycapability-based security models,in which executing programs receive permissionsas they might receive data, as communicated object references.This allows them to determine where the permissions came from,and thus avoid the Confused deputy problem.Ambient authorityis the dominant form of access controlin computer systems today.The "user" model of access controlas used in Unix and in Windows systemsis an ambient authority modelbecause programs executewith the authorities of the "user" that started them.This not only means that executing programsare inevitably given more permissions(see
Principle of least privilege )than they need for their task,but that they are unable to determinethe source or the number and types of permission that they have.A program executing under an ambient authority access control modelhas little option but to designate permissionsand try to exercise them, hoping for the best.This property requires an excess of permissionsto be granted to users or roles,in order for programs to execute without error.
Wikimedia Foundation. 2010.