Date: Mon, 13 Oct 1997 20:53:08 -0500 (CDT) From: "Matthew D. Fuller" <fullermd@futuresouth.com> To: Christopher Petrilli <petrilli@amber.org> Cc: Brian Mitchell <brian@firehouse.net>, Colman Reilly <careilly@monoid.cs.tcd.ie>, Douglas Carmichael <dcarmich@mcs.com>, freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: C2 Trusted FreeBSD? Message-ID: <Pine.BSF.3.96.971013205059.3769F-100000@shell.futuresouth.com> In-Reply-To: <199710132110.RAA29578@dworkin.amber.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 Oct 1997, Christopher Petrilli wrote: > >I'm fairly certain acl is _not_ a requirement in the dcl segment of c2. > >acl is, after all, just another form of group control at its very base. > > It is not "mandatory," however the following paragraph exerpted from the > TCSEC does make it clear that the exisintg group mechanism is NOT > acceptable: > > "The access controls shall be capable of including or excluding > access > to the granulairty of a single user." I could be just being stupid here, but can't you do this by making everyone a member of a group with their login ID, and them only as a member and setting the file to (owner).user, mode 707, or something? Wouldn't that give everyone but that persona ccess to it? Did anyone even follow that? not too clear, is it... > > This exclusion part is what makes it very difficult. You must be capable > of giving access to everyone BUT a specific user. While theoretically I > guess you could do it by managing billions of sepereate groups, I think > it would fail none the less because of practical enforcement concerns. > > Other than that, it's mostly documentation, and audit. I would really > prefer to do an ACL extension to the file system, as I think it's useful > as it is :-) > > Chris > > -- > | Christopher Petrilli "That's right you're > | petrilli@amber.org not from Texas." *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* | FreeBSD; the way computers were meant to be | * FreeBSD: turning PCs into workstations * | Windows: turning workstations into typewriters | * fullermd@futuresouth.com :-} MAtthew Fuller * | http://keystone.westminster.edu/~fullermd | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971013205059.3769F-100000>