MAC question again
Casey Schaufler
casey at sgi.com
Tue Sep 28 19:37:45 GMT 1999
Ilmar S. Habibulin wrote:
> Now question number two - can these categories be emulated by means of
> DAC groups? Why there is additional essence. Maybe MAC could be used with
> out DAC?
The important difference between MAC and DAC is who controls the
access control on an object. With DAC, some authorized user (on
unix it's the owner) is allowed to decide at her descretion (the
"D" in DAC) what the access should be. With MAC, the access control
is mandatory (the "M" in MAC) and outside the control of anyone
but the system.
If you wanted a system with MAC but no DAC you could lock down
umask(2), chmod(2), and chown(2) and use the mode bits to implement
a policy. I don't think you'd have a lot of success getting
applications to run under such a system, and our old friend the
setuid bit would require some attention, but you could do it.
--
Casey Schaufler voice: (650) 933-1634
casey at sgi.com fax: (650) 933-0170
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list