Classifying users and groups

Submit your RBAC policies or suggest policy improvements

Moderators: spender, PaX Team

Classifying users and groups

Postby Loggy » Sun May 30, 2004 6:20 am

Three questions:

1 If there are a large number of users (or groups) that have the same essential access control requirements other than the /home directory for example, is there a way of specifying an ACL that covers all of them rather than having to specify an ACL for each user (or group)?

Perhaps you could do this by having the home directories in a sub-directory and using /home/set1/*, home/set2/* etc for users but if one user moved from set1 to set2 this may make problems elsewhere - for example with /tmp files and there is no subject globbing anyway.

By using inheritance, I guess the ACLs could be kept relatively simple but that still requires a role per user and group as I see it.

2 An extension really if there is a positive reply to 1 is that if a new user or group is created, would the ACLs have to be reloaded? Clearly if the answer to 1 is negative this would be the case as the ACLs would have to be modified anyway.

3 Can the standard Linux user-group-world chmod type of security be compromised and how can this be avoided?

The problem is really one of ACL maintenance if there are a lot of users and groups on a system which can be divided into a small number of sets, it would be much easier to manage the system if the ACL file is concise. The alternative is a long file prone to errors and therefore to security violations.
Loggy
 
Posts: 14
Joined: Tue Nov 18, 2003 5:28 am
Location: UK

Classifying users and groups (ii)

Postby Loggy » Mon May 31, 2004 5:45 am

Perhaps this may also be enhanced by extending the globbing rules (a) to include some rudimentary regular expression syntax and (b) by applying it to subjects and roles as well as objects.

Is this worth thinking about?
Loggy
 
Posts: 14
Joined: Tue Nov 18, 2003 5:28 am
Location: UK


Return to RBAC policy development

cron