Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!gatech!bloom-beacon!langz
From: langz@athena.mit.edu (Lang Zerner)
Newsgroups: comp.misc
Subject: Re: access-lists vs. unix permissions
Message-ID: <1151@bloom-beacon.MIT.EDU>
Date: Thu, 16-Jul-87 13:39:46 EDT
Article-I.D.: bloom-be.1151
Posted: Thu Jul 16 13:39:46 1987
Date-Received: Sat, 18-Jul-87 07:46:34 EDT
References: <1334@ssc-vax.UUCP> <860@ssc-bee.ssc-vax.UUCP>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: langz@athena.mit.edu (Lang Zerner)
Organization: Massachusetts Institute of Technology
Lines: 41
In article <860@ssc-bee.ssc-vax.UUCP> nelson@ssc-vax.UUCP (Paul W. Nelson) writes:
>in article <1334@ssc-vax.UUCP>, herber@ssc-vax.UUCP (David A Wilson) says:
>> I can see no reason
>> that unix permissions cannot provide equivalent level of data access
>> protection to access-lists. With multiple group membership, such as provided
>> in BSD Unix, file access can be controlled to any level desired.
>
>The problem with this approach is that it requires the system administrator
>to set up new groups.
This is a real problem, but it could be easily gotten around by implementing
access-group utilities which had write permision to /etc/group, but did not
give that permission to their invokers. For example, adduser
could make sure that it's caller owns the file before
adding to the access group for . That way, the user would
not have the ability to arbitrarily diddle /etc/group, but would nevertheless
be able to alter the access groups to his or her own files *without* contacting
a system administrator.
>How many groups do you think would be required to
>cover each file that needs access-list type protection? It could be very
>significant,
Not relative to the number of access lists you would need to provide the same
protection. You would need exactly one group for each file which had access
list protection, just as you'd need exactly one access list per file in an
access list-based system.
>not to mention cumbersome trying to remember which group goes
>with which file.
Quite simple, really, if you just use group names like "/usr/jruser/libX.a".
Remember that /etc/group is an ASCII file, so it's not a problem to use slashes
and punctuation characters (except the colon) in group names.
------------------------------------------------------------------------------
Lang Zerner ARPA/Internet: langz@athena.mit.edu
UUCP/Usenet: ...{mirror|seismo|blblbl}!mit-eddie!langz@athena
USPS: P.O. Box 247, M.I.T. Branch, Cambridge, MA 02139
Phone: 617/628-7156
"Nothing is ever accomplished by a reasonable man." -- George Bernard Shaw
==============================================================================