[ACL-Devel] Newbie question
Andreas Gruenbacher
a.gruenbacher@bestbits.at
Thu, 13 Apr 2000 17:31:29 +0200
Jean-Eric Cuendet wrote:
>
> Hi,
> I just wonder what is the EXACT meaning of ACLs, CAP and MAC.
> I know that ACLs are for file access restrictions (it extends the UGA in
> UNIX) but what are CAP and MAC?
Capabilities (CAP) are for processes which need special credentials such as
reading all files on filesystems (backup utilities) or which need to bind to
privileged ports (network demons). These programs are currently SUID 0. This is
a security risk (bugs in such binaries may give the attacker root privileges).
In the future, all such special capabilities of processes (including root) will
be determined by capabilities. This allows for systems without omnipotent
superuser.
Mandatory Access Control (MAC) is for implementing things like compartments
(multiple virtual hosts that don't see each other) and hierarchival access
models (e.g., a process with label 5 may read from files with label 5 or below,
and may write to files with label 5 or above.) (This is not quite it,
technically...)
All that stuff is described in POSIX 1003.1e and 1003.2c, available at:
<http://www.guug.de/~winni/posix.1e/download.html>
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, a.gruenbacher@computer.org
Contact information: http://www.bestbits.at/~ag/
-------------------------------------------------------------------------
Linux ACL Developers List --- http://acl.bestbits.at/acl-devel/
To unsubscribe, send a message with `unsubscribe acl-devel'
in the message body to majordomo@bestbits.at.
-------------------------------------------------------------------------