Re: what's next for the linux kernel?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[email protected] wrote:

The part that you managed to miss is that this is MAC - *Mandatory*
Access Control.  This means that the *sysadmin* gets to say "this user
can't look at that file" - and there's nothing(*) either the owner of the
file or the user can do about it.  There's no chmod or chattr or chacl
command that the owner can issue to let somebody else read it - that's
the whole *point* of MAC.

(*) Well.. almost nothing.  The owner *may* be able to copy the contents
of the file to another file that the other user is allowed to read.  On the
other hand, the ability to do this would generally indicate a buggy policy....
Seems to me there is no use taking away the owners ability to chmod,
precisely because the owner always can get around that. (Unless
the owner doesn't even have the right to read his own file.)

You can have a restricted "copy" program, but nothing prevents a
user from making his own copy program, if he can read the file.
Or the user can load the file into the intended app, and "save as"
to some other filename and directory.  Or the user can do a screendump,
or even take a picture of the screen.
Company policy may of course forbid the user to bring a camera, just as it
might forbid the user to do "chmod o+r" on important files.  I am not
sure that we need the OS to try to enforce such things.
Helge Hafting

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux