Lionel Elie Mamane wrote:
ACL's (Access Control Lists, for those who haven't heard the term before), are, theoretically, a superior form of security for an OS, since they allow the administrator to have more fine-grained control over access to the system.On Tue, Aug 20, 2002 at 05:28:12PM +0200, Robert Millan wrote:On Tue, Aug 20, 2002 at 03:15:22AM +0200, Marcus Brinkmann wrote:On Tue, Aug 20, 2002 at 03:15:49AM +0200, Robert Millan wrote:Do we have file permission bits for the unauthentificated user?Yes. And a bit to control if it should use those or the o bits.Well i think we can reach something much more secure than the "all or nothing" unix traditional approach, too.Let's say i want to set a public console for html browsing; on the GNU system the browser could be set as the only application the guest user can execute.But to get it really flexible this would need a large permission table, though, where each file has a permission set for owner, each user and each group. I don't know if this is scalable.Isn't that (functionally) the idea behind ACL's, while they tend to be implemented as just that: lists, and not a big table?
However, the only system I'm familiar with that uses them is Windows NT/2K/XP. In my experience, they actually make the system less secure, because they are much less intuitive to work with than the standard UN*X file permissions.
I assume that the Hurd is sticking with the traditional UN*X model because most sysadmins who are used to UNIX will find this easier to work with. Furthermore, switching to an ACL-based model would probably break compatibility with traditional Unices, or at the very least, require a lot of work porting existing programs that depend on the UN*X security model.
Of course, the flexibility of the Hurd should make it easier to build ACLs into the GNU system at some point in the future, should the need for them arise. (Can anyone with more experience than me comment on this?)
-- Tom Hart hartte13@brandonu.ca