Re: The ACL debate (was: Re: What's left over.)

From: Jesse Pollard (pollard@admin.navo.hpc.mil)
Date: Thu Oct 31 2002 - 11:47:07 EST

Next message: Bernd Petrovitsch: "Re: CONFIG_TINY"
Previous message: Richard B. Johnson: "Re: need h/e/l/p: PM -> RM in machine_real_start"
In reply to: Trever L. Adams: "The ACL debate (was: Re: What's left over.)"
Next in thread: Trever L. Adams: "Re: The ACL debate (was: Re: What's left over.)"
Reply: Trever L. Adams: "Re: The ACL debate (was: Re: What's left over.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thursday 31 October 2002 04:59 am, Trever L. Adams wrote:
> 5) Only root can change group ownership of a file

not quite - the owner of the file may change the group ownership to
any other group that the owner is a member.

It does require root to change a file group to a group the owner is
not a member of.

>Why ACLs are bad:

ACLs alone are not enough. ACLs alone allow a user to grant
access to any other user/group. For situations that require a fence
between users (ie. accounting/parts inventory) only a mandatory
access control (MAC) would be able to prevent such improper
data sharing. It is also a problem in government use. At least on
large, shared resource systems.

Putting users in disjoint group memberships accomplishes this.
Providing ACLs can allow improper sharing since that is a descretionary
permission.

Mitigating factors:

Adding MAC restores facility control, and still allows the user
some flexibility to create ad-hoc groups within an administratively
defined population group.

The normal UNIX solution is to have multiple systems, each dedicated
to a relatively small population where any user is authorized to access
data on that system (this is where limited groups come in), but owners
of the data may provide a more restricted access.

Having dedicated resources corresponds to the MAC access control.
Having owner/group/world access controls (and/or ACLs) provides
the owner with a descretionary access control for the administratively
controled population of users.

A large resource usually has to be shared (wind tunnel simulations,
finite element analysis of different structures, large inventory
management...). And sharing doesn't necessarily involve sharing
data.

-- ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollard@navo.hpc.mil

Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: Bernd Petrovitsch: "Re: CONFIG_TINY"
Previous message: Richard B. Johnson: "Re: need h/e/l/p: PM -> RM in machine_real_start"
In reply to: Trever L. Adams: "The ACL debate (was: Re: What's left over.)"
Next in thread: Trever L. Adams: "Re: The ACL debate (was: Re: What's left over.)"
Reply: Trever L. Adams: "Re: The ACL debate (was: Re: What's left over.)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:54 EST