dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


LinuxSecurity.com: Advanced Access Control with the Trustees Project

Jul 20, 2000, 19:46 (0 Talkback[s])
(Other stories by Dave Wreski)

"The Linux Trustees Project is an effort to create improved access control and advanced file permission management similar to other operating systems...."

"Linux Trustees project borrows "trustee" idea from Novel's Netware OS. A trustee is object that give a given group or user access to a complete directory tree, not just a single file. In my own experience, the typical task that a file system administrator has is "to have a directory that some users R/W access, some R/O, others - nothing."

"It can be done via a single click of mouse using Netware Administrator, but it is still complex in all other OSs."

"In my understanding and experience, the standard Unix and Linux file permission model simple does not allow to have 2 different groups have different (say, R/O & R/W) access for a single file. In UNIX you just have owner, owner's group, and "others" permission, that give you no flexibility to manage access on per group basis. This problem is in certain degree resolved by different implementations of POSIX ACLs. ACL is basically a list of "access control records" each of them allows access to given file to a given user or group. The problem is that ACLs are affective on per file basis (in NT there are default ACLs that copied to new files that created in directory), that makes administration quite a complex. Moreover, millions of ACL required to implement a single security policy is a potential security risk, because it is not easy to verify them even if the tools are provided."

Complete Story

Related Stories: