From owner-freebsd-security  Sun Aug 19 18:57:21 2001
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id DB2D437B40C
	for <freebsd-security@freebsd.org>; Sun, 19 Aug 2001 18:57:18 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7K1vGP35340;
	Sun, 19 Aug 2001 21:57:16 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 19 Aug 2001 21:57:16 -0400 (EDT)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Jonathan Slivko <js43064n@pace.edu>
Cc: Ken Cross <kcross@ntown.com>, freebsd-security@freebsd.org
Subject: Re: DENY ACL's
In-Reply-To: <Pine.NEB.3.96L.1010819214320.34466F-100000@fledge.watson.org>
Message-ID: <Pine.NEB.3.96L.1010819215415.34466G-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Just as a general comment on our current ACL implementation: we use
POSIX.1e because it is a (de facto) standard, not because it is perfect.
When I looked at the available ACL models in use outside of FreeBSD, it
provided the best combination of benefits, when weighing factors such as
application portability, UNIX model compatibility, etc.  A number of
people spent a great deal of time making POSIX.1e ACLs have these
properties, and although the standard was never finalized, it's no
cooincidence that ACLs on almost all major UNIX platforms have the same
semantics, if not the same interface.

On the other hand, I'm personally a big fan of AFS ACLs, which are
associated only directories (not individual files per se), and exist
side-by-side with a user-managed group model.  Sadly, that model
integrates poorly with standard UFS semantics, and departs significantly
from the UNIX/POSIX model in terms of applications failing "nicely" when
it comes to security.

Robert N M Watson             FreeBSD Core Team, TrustedBSD Project
robert@fledge.watson.org      NAI Labs, Safeport Network Services


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message