Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ll-xn!ames!pioneer!lamaster
From: lamaster@pioneer.arpa (Hugh LaMaster)
Newsgroups: comp.misc
Subject: Re: access-lists vs. unix permissions
Message-ID: <2360@ames.arpa>
Date: Wed, 15-Jul-87 11:57:35 EDT
Article-I.D.: ames.2360
Posted: Wed Jul 15 11:57:35 1987
Date-Received: Fri, 17-Jul-87 06:03:53 EDT
References: <1334@ssc-vax.UUCP>
Sender: usenet@ames.arpa
Reply-To: lamaster@ames.UUCP (Hugh LaMaster)
Organization: NASA Ames Research Center, Moffett Field, Calif.
Lines: 49
Keywords: security

In article <1334@ssc-vax.UUCP> herber@ssc-vax.UUCP (David A Wilson) writes:

>significant changes, but no higher. The problem occurs at level B1 which
>requires access-lists for files.

>	The issue I would like to discuss is why are access-lists considered
>more secure that unix-style owner/group/other permission(as the specification
>seems to apply)? Are there any studies that show this? I can see no reason

Access lists are much more secure, in practice, than owner/group/other.  I have
had a wide experience on many other systems before coming to Unix, and I can
say that not having access lists is a severe handicap.  In a "normal"
operating system with access lists, files are readable only by the owner or by
certain O/S utilities that must be run from the console.  Other files must be
given permission on a file or directory basis before anyone can read them.
Since security is on a file basis instead of on a person basis ("group"
basis), it is much easier for users to, by default, protect all their files
and still give permission to those who need access.  If you don't see the
distinction, you may not have worked on a system with hundreds of users,
unknown to yourself, with some of them legitimately presumed to be
"suspicious", and yet where you still had to share SOME files with some users
who also may not be ENTIRELY trustworthy.  Whenever you have to share data
with people but not others on an individual basis (e.g. licensed source code
is always a good example) on a large system where most people are strangers,
then you have a problem.  

To summarize, the main problem is not penetration from the outside, but
penetration from the inside on a system with a large number of strangers.

A second point.  Most unix security problems actually arise because SUID and
known files were used to add functions instead of adding system calls.  There
is no known way to add O/S functions securely without adding system calls in a
conventional system.  It MAY be possible in a capability based system.






  Hugh LaMaster, m/s 233-9,  UUCP {seismo,topaz,lll-crg,ucbvax}!
  NASA Ames Research Center                ames!pioneer!lamaster
  Moffett Field, CA 94035    ARPA lamaster@ames-pioneer.arpa
  Phone:  (415)694-6117      ARPA lamaster@pioneer.arc.nasa.gov


                 "IBM will have it soon"


(Disclaimer: "All opinions solely the author's responsibility")