Date: Tue, 14 Oct 1997 11:49:20 -0400 (EDT) From: "Christopher G. Petrilli" <petrilli@amber.org> To: Brian Beattie <beattie@stt3.com> Cc: Brian Mitchell <brian@firehouse.net>, Colman Reilly <careilly@monoid.cs.tcd.ie>, Douglas Carmichael <dcarmich@mcs.com>, freebsd-security@FreeBSD.ORG Subject: Re: C2 Trusted FreeBSD? Message-ID: <Pine.BSF.3.96.971014114159.2865D-100000@dworkin.amber.org> In-Reply-To: <Pine.GSO.3.95.971014083012.1809E-100000@durin>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Oct 1997, Brian Beattie wrote: > > This exclusion part is what makes it very difficult. You must be capable > > of giving access to everyone BUT a specific user. While theoretically I > > guess you could do it by managing billions of sepereate groups, I think > > it would fail none the less because of practical enforcement concerns. > > This is an over-rigous reading of this requirement. The Gould (B1?) > system made it clear that UNIX access control meets this requirement. > This can be understood when you read the requirement to say that: it must > be possible to exclude access to an object by one particular user. This > does not say that the system must provide a mechanizim to exclude access > to an object by everyuser on a user-by-user basis, a requirement every > system would fail. While you're right that the UNIX system might meet minimum requirements, it would become unworkable in practice, and thereby I think we need to investigate the idea of ACLs implemented in to the FS. This has other distinct advantages that are not always obvious. At a company I used to work at we had a system with 12,000 accounts (database system, long story), and it used groups to enforce access. On this system we had over 1,500 groups, and I can testify that it was nearly impossible to maintain them in any coherent strategy. I'd like to see us move forward with perhaps a new paradigm in managing access control to files, using strong inheraatence principles (i.e. allow files to be restricted while inheriting the restrictions of the directory, without having to necessarily ittterate them). I think this would help in pushing into a unified access control system for all access to the file system. Why not allow unification of web/non-web access into a single ACL structure? > When reading the Orange Book, remember that to meet the requirements it is > in general sufficent to meet only the minumum requirements. The authors > were very careful is laying out the requirements with-out makeing > asumptions on how they might be met. You're absolutely rtight, but realistic interpretation says C2 is largely useless. I'd like to see FreeBSD pursue red-book interpretations of the TCSEC rather than some standalone idea. For note, Windows NT is certified C2, but only when it doesn't have a network card or floppy in it. Since this is silly, we need to understand the world is now networked and pursue the architecture from that perspective. For example... implementation of policy-based and labelled VLANs thru cryptographic enforcement and virtual-interfaces (B2 requires manadatory labeling of all interfaces, and currently, almost all B2 certified systems have a "single-level" interface). This would allow you to have a trusted management network layered on top of the main network. This begins to make the MLS system concepts usable in a more realistic manner. Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971014114159.2865D-100000>