Following are descriptions of the ACL entry types that specify masks:
· mask_obj
The mask_obj entry establishes the permission set that masks all privilege attribute entry types except the user_obj and other_obj types.
· unauthenticated
The unauthenticated entry establishes the permission set that masks the permission set in a privilege attribute entry that corresponds to a principal whose privilege attributes have not been certified by an authority such as the privilege service.
The two masks are similar in that the permission set specified in the mask entry is intersected (logically ANDed) with the permission set in a privilege attribute entry. This masking operation yields the effective permission set (the permissions that may be granted to the principal) for the principal possessing the privilege attribute. For example, if a privilege attribute entry specifies the permissions ab, and a mask entry that specifies the permissions bc masks that privilege attribute entry, the effective permission set is b. Similarly, a mask entry that specifies the empty permission set means that none of the permissions in any privilege attribute entry that mask entry masks is granted to the principal possessing the privilege attribute.
The two masks are dissimilar in one notable respect. Adding an unauthenticated mask entry with an empty permission set to an ACL is equivalent to omitting the unauthenticated mask entry from the ACL; in both cases, the set of effective permissions for principals possessing unauthenticated privilege attributes is empty. However, adding a mask_obj entry with an empty permission set to an ACL is different from having no mask_obj entry in the ACL. In the first case, the effective permission set is empty; in the second case, the effective permission set is identical to the permission set in the privilege attribute entry.
ACL entries for masks consist of two fields in the following form:
entry_type:permissions
Following are descriptions of the fields:
· The entry_type field specifies one of the two masks entry types: mask_obj or unauthenticated.
· The permissions field specifies the permission set that masks the permission set in any privilege attribute entry masked by the mask entry.