Re: Ext3 filesystem info?

Casey Schaufler (casey@sgi.com)
Fri, 24 Sep 1999 11:51:40 -0700


Michael Bacarella wrote:

> Who is allowed to see what ACLs are in place?
>
> I know I would feel pretty insulted if I looked at a friend's ACL and he
> gave everyone BUT me LOOKUP access to his directories. It'd also suck
> for that person if I found out. :)

One classic example for how you'd use ACLs is the Surprise Birthday
Party Announcement, for which you want to grant everyone in a group
read access except the guest of honor. There, does that help you
feel better? Maybe they've gotten you a nice cake!

When we evaluated Irix (at B1) we had to address the issues of
access control policy, including why it was that a user might be
able to see the permission bit on a file that she couldn't read.
We explained it thus:

Access to a file system object (e.g. a file) is controlled by
a set of policies:

PATH-DATA-READ
The path leading to the object must be composed
of readable objects.
The MAC label of the subject (e.g. process) must
dominate that of the object.
The DAC permissions (e.g. permission bits, ACL)
on the object must allow read.
PATH-DATA-WRITE
The path leading to the object must be composed
of readable objects.
The MAC label of the subject (e.g. process) must
dominate that of the object.
The DAC permissions (e.g. permission bits, ACL)
on the object must allow write.
PATH-ATTRIBUTE-READ
The path leading to the object must be composed
of readable objects.
The MAC label of the subject (e.g. process) must
dominate that of the object.
PATH-ATTRIBUTE-WRITE
The path leading to the object must be composed
of readable objects.
The MAC label of the subject (e.g. process) must
dominate that of the object.
The owner of the subject must be the owner of the
object.
FD-DATA-READ
Access is permitted.
FD-DATA-WRITE
Access is permitted to the extent granted on open().
FD-ATTRIBUTE-READ
Access is permitted.
FD-ATTRIBUTE-WRITE
The owner of the subject must be the owner of the
object.

The access to the attributes of a file are controlled differently
from the access to the data of a file. Short of using an additional
scheme such as MAC, there is no way to prevent someone from reading
the attributes for a file without using the attributes of another
object (a containing directory).

You could decide that an ACL is a "special attribute", with yet
another access control policy. I'd be interested in a policy that
makes sense. If you say check the ACL, I'll refer you to MAC.

-- 

Casey Schaufler voice: (650) 933-1634 casey@sgi.com fax: (650) 933-0170

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/