Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!ll-xn!cit-vax!oberon!bloom-beacon!langz
From: langz@athena.mit.edu (Lang Zerner)
Newsgroups: comp.misc
Subject: Re: access-lists vs. unix permissions
Message-ID: <1144@bloom-beacon.MIT.EDU>
Date: Wed, 15-Jul-87 20:16:36 EDT
Article-I.D.: bloom-be.1144
Posted: Wed Jul 15 20:16:36 1987
Date-Received: Sat, 18-Jul-87 04:30:17 EDT
References: <1334@ssc-vax.UUCP>
Sender: daemon@bloom-beacon.MIT.EDU
Reply-To: langz@athena.mit.edu (Lang Zerner)
Organization: Massachusetts Institute of Technology
Lines: 70
Keywords: security

In article <1334@ssc-vax.UUCP> herber@ssc-vax.UUCP (David A Wilson) writes:
>The articles refer to requirements for computer security categories
>referred to by designators such as: C1, C2, B1, B2, A1. There was an article
>in Unix Review a few months ago about how unix fits in to these categories.
>According to the article, Unix can satisfy levels up to C2 without any
>significant changes, but no higher. The problem occurs at level B1 which
>requires access-lists for files.
>
>	The issue I would like to discuss is why are access-lists considered
>more secure that unix-style owner/group/other permission(as the specification
>seems to apply)? Are there any studies that show this? I can see no reason
>that unix permissions cannot provide equivalent level of data access
>protection to access-lists. With multiple group membership, such as provided
>in BSD Unix, file access can be controlled to any level desired.
>
>	Does anyone have any other thoughts on this subject?

I agree with david that the owner/group/other permissions are sufficient.  All
that is needed to obtain access lists for files is to have a corresponding
group for every file in the system.  To implement file access lists using the
permissions system, all that would be necessary would be to have each file have
its own entry in /etc/group, along with the appropriate permissions.  For
example, if user joeschmoe creates a file called 'libX.a' in /usr/joeschmoe, an
addition would be made to /etc/group consisting of a line reading:

/usr/joeschmoe/libX.a:::joeschmoe

(where  is a unique group number such as the highest existing group
number + 1; if /etc/group needs all alphanumeric group *names*, unique names
can be generated in a similar manner) and default permissions -rwxrwx---.  To
add people to the access list for the file, simply append their names to the
end of the /etc/group name of the file.  So to add user jruser to the access
list for /usr/joeschmoe/libX.a, you simply add to the above /etc/group line to
yield:

/usr/joeschmoe/libX.a:::joeschmoe,jruser

Using this system, the owner of the file can deny access to the file to anyone
in the group, or allow access to the world, by using chmod.  Two ways exist to
add users to the access list: (1) to add specific users, contact a superuser
(who presumably is trusted to be responsible for the security of the system),
since only root can modify /etc/group; and (2) if you created the file, use
chmod to allow world access.  If it is not appropriate to allow nonroot users
to allow world access, root creates the file.

The only modification to unix per se to implement this system is one that would
create the entry in /etc/group (i.e. generating a unique group number, etc)
whenever a file is *first* created.  After that, all that would be needed is a
set of superuser utilities for effecting the modifications to /etc/group, such
as:

addaccess  

(which would add  to the access list for ) along with other
utilities for removing access, etc.

There will probably be arguments regarding disk space usage, etc, but remember
that no matter how you slice it, you've got to put the access lists
*somewhere*.  Also, I don't know how difficult it would be to make that one
modification that adds the /etc/group entry at first creation of a file.  The
only seemingly efficient thing would be to modify whatever routine creates the
directory entry.  Any thoughts, unix hackers and wizards?  Is it really as
simple as it seems?
------------------------------------------------------------------------------
 Lang Zerner	ARPA/Internet: langz@athena.mit.edu
		UUCP/Usenet: ...{mirror|seismo|blblbl}!mit-eddie!langz@athena
		USPS: P.O. Box 247, M.I.T. Branch, Cambridge, MA  02139
		Phone: 617/628-7156
 "Nothing is ever accomplished by a reasonable man."   -- George Bernard Shaw
==============================================================================