[rsbac] (more) RC, ACL models questions

sftf at yandex.ru sftf at yandex.ru
Wed May 5 15:10:26 CEST 2004 

Hello Amon !
Thanks for help.
I still can't understand following:
1.
>>   1. How to do with ACL, so that it is impossible to delete DIR, but
>>      FILEs and DIRs under it possible to delete ?

AO> Simple solution: Set FF flag no_rename_or_delete on this dir.
  FF flags work fine, but regardless USERS,GROUPS and ROLES. So this not for me.
AO> Remove DELETE from dir's mask and add a sufficient entry for group 0 to all 
AO> files and dirs below.
  As to ACL: With removed DELETE flag, it is impossible delete FILEs and DIRs below.
  To solve this problem, we add "a sufficient entry for group 0 to all
  files and dirs below."

  BUT newly created FILEs and DIRs inherit parent mask (with removed DELETE flag) and
  and consequently their it is again impossible delete...
  This mask controls that inherits the givenned object from parent, not so?
  I think there is lack of the mask, which defines that inherit children (in my sense).

  And else - it is provided possibility to set rights to create only DIRs but not FILEs and vice versa
  (distinguishing the files and directory) ?
  
2. In book rc-nordsec2002 is written :
    "Each process must have only one current role at a time..." and
    "A process may change its current role r1 to role
    r2, if role r2 is in the set of compatible roles of role r1."
  So, for example user, can't do its work with rights of BOTH (or more)
  ROLES simultaneously ?
  He can only explicitly be switched from one role to another compatible role?
  If so, that I think, this is big inconvenience (and maybe security hole, I don't know).

  Reason:
  Complex rights possible quickly to collect from simple roles.
  I planned to create two roles ("System_Admin" and "Installer"),
  and allow System_Admin role temporarily to do "Installer" work.
  For this I planned to give the root two roles "System_Admin" and "Installer",
  so root has got power of TWO ROLES.
  But this has not operated.
3. What is a "MODIFY_AUTH " right?

Thank you a lot!
mailto:sftf at yandex.ru

More information about the rsbac mailing list