From: Jesse Pollard <pollard@admin.navo.hpc.mil>
To: "Trever L. Adams" <tadams-lists@myrealbox.com>,
Linus Torvalds <torvalds@transmeta.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: The ACL debate (was: Re: What's left over.)
Date: Thu, 31 Oct 2002 10:47:07 -0600 [thread overview]
Message-ID: <200210311047.07774.pollard@admin.navo.hpc.mil> (raw)
In-Reply-To: <1036061965.2425.20.camel@aurora.localdomain>
On Thursday 31 October 2002 04:59 am, Trever L. Adams wrote:
> 5) Only root can change group ownership of a file
not quite - the owner of the file may change the group ownership to
any other group that the owner is a member.
It does require root to change a file group to a group the owner is
not a member of.
>Why ACLs are bad:
ACLs alone are not enough. ACLs alone allow a user to grant
access to any other user/group. For situations that require a fence
between users (ie. accounting/parts inventory) only a mandatory
access control (MAC) would be able to prevent such improper
data sharing. It is also a problem in government use. At least on
large, shared resource systems.
Putting users in disjoint group memberships accomplishes this.
Providing ACLs can allow improper sharing since that is a descretionary
permission.
Mitigating factors:
Adding MAC restores facility control, and still allows the user
some flexibility to create ad-hoc groups within an administratively
defined population group.
The normal UNIX solution is to have multiple systems, each dedicated
to a relatively small population where any user is authorized to access
data on that system (this is where limited groups come in), but owners
of the data may provide a more restricted access.
Having dedicated resources corresponds to the MAC access control.
Having owner/group/world access controls (and/or ACLs) provides
the owner with a descretionary access control for the administratively
controled population of users.
A large resource usually has to be shared (wind tunnel simulations,
finite element analysis of different structures, large inventory
management...). And sharing doesn't necessarily involve sharing
data.
--
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
next prev parent reply other threads:[~2002-10-31 16:45 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-31 10:59 The ACL debate (was: Re: What's left over.) Trever L. Adams
2002-10-31 16:47 ` Jesse Pollard [this message]
2002-10-31 20:28 ` Trever L. Adams
2002-10-31 21:53 ` Jesse Pollard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200210311047.07774.pollard@admin.navo.hpc.mil \
--to=pollard@admin.navo.hpc.mil \
--cc=linux-kernel@vger.kernel.org \
--cc=rusty@rustcorp.com.au \
--cc=tadams-lists@myrealbox.com \
--cc=torvalds@transmeta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox