From owner-freebsd-security  Tue Oct 14 08:54:10 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA25762
          for security-outgoing; Tue, 14 Oct 1997 08:54:10 -0700 (PDT)
          (envelope-from owner-freebsd-security)
Received: from dworkin.amber.org (petrilli@dworkin.amber.org [209.31.146.74])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA25755
          for <freebsd-security@FreeBSD.ORG>; Tue, 14 Oct 1997 08:54:04 -0700 (PDT)
          (envelope-from petrilli@amber.org)
Received: from localhost (petrilli@localhost)
	by dworkin.amber.org (8.8.7/8.8.7) with SMTP id LAA02491;
	Tue, 14 Oct 1997 11:53:55 -0400 (EDT)
Date: Tue, 14 Oct 1997 11:53:55 -0400 (EDT)
From: "Christopher G. Petrilli" <petrilli@amber.org>
To: Brian Beattie <beattie@stt3.com>
cc: "Matthew D. Fuller" <fullermd@futuresouth.com>,
        Brian Mitchell <brian@firehouse.net>,
        Colman Reilly <careilly@monoid.cs.tcd.ie>,
        Douglas Carmichael <dcarmich@mcs.com>, freebsd-security@FreeBSD.ORG
Subject: Re: C2 Trusted FreeBSD? 
In-Reply-To: <Pine.GSO.3.95.971014084124.1809G-100000@durin>
Message-ID: <Pine.BSF.3.96.971014114946.2865E-100000@dworkin.amber.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 14 Oct 1997, Brian Beattie wrote:

> > I could be just being stupid here, but can't you do this by making
> > everyone a member of a group with their login ID, and them only as a
> > member and setting the file to (owner).user, mode 707, or something?
> > Wouldn't that give everyone but that persona ccess to it?
> > Did anyone even follow that?  not too clear, is it...
> 
> Some people often read this requirement to mean that it must be possible
> to set access rights on a file to exclude some arbitrary set of users.  To
> do this you need one group for each permutation of users.  Techincally
> possible but infeasable.  In fact I agree with your interpretation and I
> believe so do the evaluators and most people in the INFOSEC community.

According to the local NSA rep sitting down the hall, this is incorrect,
and the INTENT is to allow for abritrary groups to be excluded from an
arbitrary number of files.  While you're absolutely correct that in
PRACTICE this would be ok on a system with a relatively small number of
users, remember that the orange book deals with stand-alone systems, which
traditionally have had large numbers of users.  Obviously we can all do
the permutation calculations even when we hit 100 users the theoretical
problem is enormous.

See my previous message abouy why we should evaluate ACL structures
regardless of what we do in regards C2 certification.

Chris