From owner-freebsd-hackers  Wed Oct 27 10:33:17 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id BD48614FB3
	for <freebsd-hackers@freebsd.org>; Wed, 27 Oct 1999 10:33:08 -0700 (PDT)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id NAA24646;
	Wed, 27 Oct 1999 13:32:59 -0400 (EDT)
	(envelope-from robert@cyrus.watson.org)
Date: Wed, 27 Oct 1999 13:32:58 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Chuck Youse <cyouse@paradox.nexuslabs.com>
Cc: freebsd-hackers@freebsd.org
Subject: Re: UFS ACLs
In-Reply-To: <Pine.BSF.4.10.9910271103510.1849-100000@paradox.nexuslabs.com>
Message-ID: <Pine.BSF.3.96.991027132739.22425E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

As pointed out already, there has been *extensive* discussion of this in
*numrous* forums.  To guide your research into the topic, I recommend
looking at the ACL implementations in Solaris and IRIX, as well as the
POSIX.1e ACL specification.  

Take a look at http://www.watson.org/fbsd-hardening/posix1e/ for links to
information on POSIX.1e.  You may also want to search the UCLA tech report
archive for references to file system layers, extended attribute services,
and Access Control Lists, which should turn up a few papers on layered
file systems, and specifically on implementing an ACLfs based on an
extended attribute service based on layering (lots of bases here). 

For FreeBSD-specific information, I can recommend no better than searching
the archives of -hackers, -security, -fs, and -arch.

If you're interested in fine-grained access control on objects other than
files, there has been lots of discussion of that also, in many forums.  In
fact, it's realistic to say that there's a whole field of research on
hardening UNIX, writing trusted UNIX implementations, etc.

On Wed, 27 Oct 1999, Chuck Youse wrote:

> 
> I admittedly haven't done much homework on this topic, but I was wondering
> if anyone has played with the idea of implementing ACLs on top of UFS.
> 
> One of the weakest areas in UNIX is its lack of fine-grained access
> control for resources - the biggest resource being, of course, the
> filesystem.
> 
> Chuck Youse
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
> 


  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message