Path: utzoo!utgpu!attcan!uunet!lll-winken!ames!xanth!nic.MR.NET!shamash!raspail!bga
From: bga@raspail.UUCP (Bruce Albrecht)
Newsgroups: comp.os.misc
Subject: Re: Unix bigotry
Message-ID: <1143@raspail.UUCP>
Date: 15 Jan 89 20:31:05 GMT
References: <1135@raspail.UUCP> <229@sea375.UUCP>
Organization: Control Data Corporation, Arden Hills, MN
Lines: 34

In article <229@sea375.UUCP>, dave@sea375.UUCP (David A. Wilson) writes:
> Access control list are nice for some cases, but I have found them to be
> easily abused. For example, some systems allow wildcard specifications of
> usernames. [Example of misuse of wildcards deleted]
> Now you have to find and correct all the ACLs on the system.
> I think group ownership and group membership are far more managable than ACLs.

If group membership allowed wildcards, you'd have the same problem of
abuse.  If group creation/modification is a privileged operation,
the use of group permissions by a non-privileged user is worthless.
Although the systems I have used with ACLs have not provided utilities to
manage ACLs, it would have been easy to write a program or procedure to
copy one file's ACL to another file, had I needed to do so often.

> I still have not seen any convincing argument for ACLs being more secure
> than Unix permission bits.  It's all in how you use them, and in how well
> the system software enforces access rights.

Here's something you can't do with Unix group permissions:  grant different
access rights to different users.  With CDC's NOS/VE, the following permissions
are possible: read, execute, shorten, modify, append.  I can create a log file
that has append permission for everyone, read and append for one set of people,
and read/write (shorten modify apppend) for a second set of people.

> > Last > time I checked, it didn't have guardian procedures, either.
> What's are guardian procedures?

A procedure that is invoked whenever you open a file, that intercepts all
I/O to perform filtering or security verification.  It's not needed by a
file that is only accessible via a program with setuid/setgid set.  If,
for example, you had a database with some sensitive data, you could still
make it available for general access, if you had a guardian procedure
return spaces for all sensitive fields for users not authorized to see them,
and only allow some users to modify a subset of the fields, if any.