UFS ACLs
I admittedly haven't done much homework on this topic, but I was wondering if anyone has played with the idea of implementing ACLs on top of UFS. One of the weakest areas in UNIX is its lack of fine-grained access control for resources - the biggest resource being, of course, the filesystem. Chuck Youse To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: UFS ACLs
> I admittedly haven't done much homework on this topic, but I was wondering > if anyone has played with the idea of implementing ACLs on top of UFS. > > One of the weakest areas in UNIX is its lack of fine-grained access > control for resources - the biggest resource being, of course, the > filesystem. > > Chuck Youse Chuck -- Go do your homework. :) Check the freebsd-security archive for copious, endless discussions on this subject, requirements therefore, etc. ==ml To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: UFS ACLs
As pointed out already, there has been *extensive* discussion of this in *numrous* forums. To guide your research into the topic, I recommend looking at the ACL implementations in Solaris and IRIX, as well as the POSIX.1e ACL specification. Take a look at http://www.watson.org/fbsd-hardening/posix1e/ for links to information on POSIX.1e. You may also want to search the UCLA tech report archive for references to file system layers, extended attribute services, and Access Control Lists, which should turn up a few papers on layered file systems, and specifically on implementing an ACLfs based on an extended attribute service based on layering (lots of bases here). For FreeBSD-specific information, I can recommend no better than searching the archives of -hackers, -security, -fs, and -arch. If you're interested in fine-grained access control on objects other than files, there has been lots of discussion of that also, in many forums. In fact, it's realistic to say that there's a whole field of research on hardening UNIX, writing trusted UNIX implementations, etc. On Wed, 27 Oct 1999, Chuck Youse wrote: > > I admittedly haven't done much homework on this topic, but I was wondering > if anyone has played with the idea of implementing ACLs on top of UFS. > > One of the weakest areas in UNIX is its lack of fine-grained access > control for resources - the biggest resource being, of course, the > filesystem. > > Chuck Youse > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-hackers" in the body of the message > Robert N M Watson [EMAIL PROTECTED] http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
Re: UFS ACLs
Chuck Youse wrote: > > I admittedly haven't done much homework on this topic, but I was wondering > if anyone has played with the idea of implementing ACLs on top of UFS. > > One of the weakest areas in UNIX is its lack of fine-grained access > control for resources - the biggest resource being, of course, the > filesystem. As my personal experience with Novell Netware shows most of the time the presence of the fine-grained access control is a great temptation to create a complete mess in the filesystem. The thing I personally feel neccessary is being able to assign access rights to a file to two separate groups because it's cheap and resolves most of the problems. I have implemented it as a small patch that works with both FFS and EXT2FS in FreeBSD. Let me know if you are interested in looking at it. -SB To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
