MAC question again
Ilmar S. Habibulin
ilmar at ints.ru
Wed Sep 29 03:33:47 GMT 1999
On Tue, 28 Sep 1999, Casey Schaufler wrote:
> > Now question number two - can these categories be emulated by means of
> > DAC groups? Why there is additional essence. Maybe MAC could be used with
> > out DAC?
> The important difference between MAC and DAC is who controls the
> access control on an object. With DAC, some authorized user (on
Ok. This is chmod() & chown().
> unix it's the owner) is allowed to decide at her descretion (the
> "D" in DAC) what the access should be. With MAC, the access control
> is mandatory (the "M" in MAC) and outside the control of anyone
> but the system.
And what about mac_set_fd() & mac_set_file()? Who can use this calls -
owner and suser, no? So what's the difference?
> If you wanted a system with MAC but no DAC you could lock down
> umask(2), chmod(2), and chown(2) and use the mode bits to implement
> a policy. I don't think you'd have a lot of success getting
> applications to run under such a system, and our old friend the
> setuid bit would require some attention, but you could do it.
No, i don't want MAC system without DAC. I just want to understand MAC and
posix. And implement it correctly.
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list