begin quoting Wade Curry as of Sat, Nov 26, 2005 at 04:33:19PM -0800:
> Stewart Stremler([EMAIL PROTECTED])@Sat, Nov 26, 2005 at 03:20:58PM -0800:
> > Anything resembling a CL (capabilities list)?
>
> Not sure exactly what a CL is.
Er...
The definitive (abstract) way to define access permissions is with
an access control matrix:
| Object-1 | Object-2 | Object-3 | ... | Object-N |
-----------+----------+----------+----------+-----+----------+
Subject-1 | | | | | |
-----------+----------+----------+----------+-----+----------+
Subject-2 | | | | | |
-----------+----------+----------+----------+-----+----------+
Subject-3 | | | | | |
-----------+----------+----------+----------+-----+----------+
. . . | | | | | |
-----------+----------+----------+----------+-----+----------+
Subject-N | | | | | |
-----------+----------+----------+----------+-----+----------+
Each cell of the matrix (Si,Oj) contains the access that that
subject has for that object. This is, however, clumsy, and
wasteful, and unelegant.
The matrix is also typically sparse (lots of empty cells), but even
efficient structures makes for a big mess. So... you slice it up.
If you chop it up into columns, then each object gets a list
of all the subjects that have access to it. This is an Access
Control List.
If you chop it up into rows, then each subject gets a list
of objects it has access to, and what permissions it has on
those objects. This is a Capabilities List.
> Each user or group has the ability
> to read/write/alter datasets(files) when they are explicitly
> "permitted" to that dataset. The list of users permitted to the
> dataset (the dataset profile) is kept by RACF in its own database.
> None of this appears in the filesystem.
If it's a list of users per dataset, it's an ACL; if it's a list
of datasets per user, it's a CL; if it's a table, it's an ACM.
-Stewart "We need protect and append ACLs in *NIX" Stremler
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
