Date: Sun, 19 Aug 2001 21:57:16 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Jonathan Slivko <js43064n@pace.edu> Cc: Ken Cross <kcross@ntown.com>, freebsd-security@freebsd.org Subject: Re: DENY ACL's Message-ID: <Pine.NEB.3.96L.1010819215415.34466G-100000@fledge.watson.org> In-Reply-To: <Pine.NEB.3.96L.1010819214320.34466F-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Just as a general comment on our current ACL implementation: we use POSIX.1e because it is a (de facto) standard, not because it is perfect. When I looked at the available ACL models in use outside of FreeBSD, it provided the best combination of benefits, when weighing factors such as application portability, UNIX model compatibility, etc. A number of people spent a great deal of time making POSIX.1e ACLs have these properties, and although the standard was never finalized, it's no cooincidence that ACLs on almost all major UNIX platforms have the same semantics, if not the same interface. On the other hand, I'm personally a big fan of AFS ACLs, which are associated only directories (not individual files per se), and exist side-by-side with a user-managed group model. Sadly, that model integrates poorly with standard UFS semantics, and departs significantly from the UNIX/POSIX model in terms of applications failing "nicely" when it comes to security. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1010819215415.34466G-100000>