Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!ll-xn!ames!pioneer!lamaster From: lamaster@pioneer.arpa (Hugh LaMaster) Newsgroups: comp.misc Subject: Re: access-lists vs. unix permissions Message-ID: <2360@ames.arpa> Date: Wed, 15-Jul-87 11:57:35 EDT Article-I.D.: ames.2360 Posted: Wed Jul 15 11:57:35 1987 Date-Received: Fri, 17-Jul-87 06:03:53 EDT References: <1334@ssc-vax.UUCP> Sender: usenet@ames.arpa Reply-To: lamaster@ames.UUCP (Hugh LaMaster) Organization: NASA Ames Research Center, Moffett Field, Calif. Lines: 49 Keywords: security In article <1334@ssc-vax.UUCP> herber@ssc-vax.UUCP (David A Wilson) writes: >significant changes, but no higher. The problem occurs at level B1 which >requires access-lists for files. > The issue I would like to discuss is why are access-lists considered >more secure that unix-style owner/group/other permission(as the specification >seems to apply)? Are there any studies that show this? I can see no reason Access lists are much more secure, in practice, than owner/group/other. I have had a wide experience on many other systems before coming to Unix, and I can say that not having access lists is a severe handicap. In a "normal" operating system with access lists, files are readable only by the owner or by certain O/S utilities that must be run from the console. Other files must be given permission on a file or directory basis before anyone can read them. Since security is on a file basis instead of on a person basis ("group" basis), it is much easier for users to, by default, protect all their files and still give permission to those who need access. If you don't see the distinction, you may not have worked on a system with hundreds of users, unknown to yourself, with some of them legitimately presumed to be "suspicious", and yet where you still had to share SOME files with some users who also may not be ENTIRELY trustworthy. Whenever you have to share data with people but not others on an individual basis (e.g. licensed source code is always a good example) on a large system where most people are strangers, then you have a problem. To summarize, the main problem is not penetration from the outside, but penetration from the inside on a system with a large number of strangers. A second point. Most unix security problems actually arise because SUID and known files were used to add functions instead of adding system calls. There is no known way to add O/S functions securely without adding system calls in a conventional system. It MAY be possible in a capability based system. Hugh LaMaster, m/s 233-9, UUCP {seismo,topaz,lll-crg,ucbvax}! NASA Ames Research Center ames!pioneer!lamaster Moffett Field, CA 94035 ARPA lamaster@ames-pioneer.arpa Phone: (415)694-6117 ARPA lamaster@pioneer.arc.nasa.gov "IBM will have it soon" (Disclaimer: "All opinions solely the author's responsibility")