From: gary@acacia (Gary Moyer) Subject: Re: Access control lists and Linux Date: 3 Apr 1993 05:39:28 GMT
steve@rama.demon.co.uk (Steve Entwistle) writes:
: One possibility would be to develop a generalised security
: package, such as RACF, used on IBM Mainframe systems. This system uses a
: central database in which all the security information for various
: resources is stored, e.g. Files, Users, Terminals etc.
:
: A sample entry for a File resource might be :-
:
:
: Filename : /etc/foobar
: Default Access : NONE
:
: User fred, Access = READ
: Group Wheel, Access = UPDATE
:
:
: Rather than changing the filesystem code, you could insert a
: call to the resource checking routine in all the system calls that access
: the resource you want to protect (in this case, all the system calls concerned
: with file accesses). If there is no entry in the database for a particular
: file, I guess you would then just use the normal file permission bits.
:
: The advantages of doing it this way is that not only is it filesystem
: independent, but it is also readily extended to protecting other resources.
Thats an interesting idea. I can see 2 major drawbacks:
1) what protection scheme would be used for this centralized data base?
2) if it were stored on a secondary storage device: what would guarantee
security to it ?
Thoughts?
I've been digging into the kernel as of late and noticed that the author of
the ext2 filesystem already has some ACL structure embedded in the inode.
I'm drawing a total blank digging up documentation on ACLs. Would you have
any available (electronically possible)?
Thanks for the input.
-g.m.