Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!rochester!cornell!uw-beaver!ssc-vax!herber From: herber@ssc-vax.UUCP (David A Wilson) Newsgroups: comp.misc Subject: access-lists vs. unix permissions Message-ID: <1334@ssc-vax.UUCP> Date: Tue, 14-Jul-87 19:13:24 EDT Article-I.D.: ssc-vax.1334 Posted: Tue Jul 14 19:13:24 1987 Date-Received: Fri, 17-Jul-87 04:13:42 EDT Organization: Boeing Aerospace Corp., Seattle WA Lines: 27 Keywords: security I have been encountering articles on computer security that refer to the US Government Specification document, I believe it is known as the 'Orange book'. The articles refer to requirements for computer security categories referred to by designators such as: C1, C2, B1, B2, A1. There was an article in Unix Review a few months ago about how unix fits in to these categories. According to the article, Unix can satisfy levels up to C2 without any significant changes, but no higher. The problem occurs at level B1 which requires access-lists for files. The issue I would like to discuss is why are access-lists considered more secure that unix-style owner/group/other permission(as the specification seems to apply)? Are there any studies that show this? I can see no reason that unix permissions cannot provide equivalent level of data access protection to access-lists. With multiple group membership, such as provided in BSD Unix, file access can be controlled to any level desired. Unix should be able to meet all other criteria specified in the document without much change, if this requirement were changed to allow unix-style permissions. Does anyone have any other thoughts on this subject? David A. Wilson uw-beaver!ssc-vax!herber -- David A. Wilson uw-beaver!ssc-vax!iscland w