Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!ll-xn!ames!amdahl!rrs From: rrs@amdahl.amdahl.com (Bob Snead) Newsgroups: comp.misc Subject: Re: access-lists vs. unix permissions Message-ID: <10210@amdahl.amdahl.com> Date: Wed, 15-Jul-87 12:01:57 EDT Article-I.D.: amdahl.10210 Posted: Wed Jul 15 12:01:57 1987 Date-Received: Fri, 17-Jul-87 06:38:37 EDT References: <1334@ssc-vax.UUCP> Organization: Amdahl Corp, Sunnyvale CA Lines: 29 Keywords: security Summary: clarification of discretionary access controls In article <1334@ssc-vax.UUCP>, herber@ssc-vax.UUCP (David A Wilson) writes: > According to the article, Unix can satisfy levels up to C2 without any > significant changes, but no higher. The problem occurs at level B1 which > requires access-lists for files. > Access control lists are one mechanism for implementing what is called discretionary access controls, permission bits is another. Such controls are required for C-level certification according to the TCSEC (the orange book). So, as far as discretionary access controls, UNIX could be certified at the C2 level. Permission bits, however, are viewed as a cumbersome mechanism to control access at the granularity of an individual. Access control lists is a much cleaner mechanism. At the B level mandatory access control is required (Top Secret, Secret, etc) in addition to discretionary access control (and lots of other stuff). Claimer: "There is no way of exchanging information that does not demand an act of judgment." - Jacob Bronowski Disclaimer: If you perceived opinions in what I have written they are probably your own and certainly not Amdahl Corp's. Bob Snead Future Computing Technologies Amdahl Corp. UUCP: ..!{ihnp4, hplabs, amd, sun, ...}!amdahl!rrs