MAC question again
James Buster
bitbug at seal.engr.sgi.com
Wed Sep 29 06:43:35 GMT 1999
On Sep 29, 10:32am, "Ilmar S. Habibulin" wrote:
} My main question is - what's the difference between DAC groups and MAC
} non-hierechycal categories?
An object is owned by only one group at a time. A MAC label may have
many (or no) categories. If an object is owned by any of the group
ids in your process' group id list, you may access the object as the
group owner of that object (assuming you aren't also the owner of that
object). The excess group ids don't enter into the access decision.
If the category set of your process' MAC label does not match that of
the object's MAC label, you may not have access to that object. For
example, if your process' MAC label has categories a,b,c and the
object's MAC label has categories a,c that process may read that
object. However, if that object's MAC label has categories a,d you may
not read that object.
} that some authorized user(owner) could change these non-hierarchical
} categories in some cases
Being the owner of an object does not give you the ability to change
anything about the MAC label of an object, including that MAC label's
categories.
--
Planet Bog -- pools of toxic chemicals bubble under a choking
atomsphere of poisonous gases... but aside from that, it's not
much like Earth.
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list