Short cheat-sheet for Multics ACLs
David Collier-Brown
davecb at canada.sun.com
Tue Feb 15 18:28:09 GMT 2000
Commands are
set_acl -- sets acls on existing files or directories
set_iacl_dir -- sets initial acls for subdirs to be created
set_iacl_seg -- sets initial acls for files to be created
Permissions are
file
r -- read
e -- execute
w -- write
<none>
directory
s -- status, like Unix read
m -- modify, like write
a -- append
<none>
Note that there is no equivalent to Unix's
"execute" meaning "traversal allowed"
Users are
user.group.tag
user -- same as unix
group -- similar, but non-identical
tag -- e.g., foreground or background
Individuals have base groups (I was in .TSDC) and project
groups (.SDE). By setting group to .SDE I could therefor
work on the SDE project. These were usually written DRBrown.TSDC
with the tags left off. If a permission mentioned
just DRBrown, the system assumed you meant DRBrown.*.*
Anything which can be a memory segment (ie, a file) can
have ACLS, and there are extended acls, which allowed a
developer to re-use the basic data structures and code to
implement special features. ACLs on files which controlled
physical devices, like tapes, were an example.
The data is stored in what amounts to a table, and which
is traversed in a predictable order before granting access
to an individual and/or group.
Independent of this, there are two other kinds of protection:
Ring brackets, which separates
a) privileged code which implement this scheme
b) privileged code which doesn't care (;-)), and
c) untrusted code which just uses it
and Mandatory Access Control, which amounts to a single,
higher level acl- or perm-like structure which blocks
any access to files and directories, and which cannot
just be set to "rwx" by the user.
--dave
--
David Collier-Brown, | Always do right. This will gratify some people
185 Ellerslie Ave., | and astonish the rest. -- Mark Twain
Willowdale, Ontario | //www.oreilly.com/catalog/samba/author.html
Work: (905) 415-2849 Home: (416) 223-8968 Email: davecb at canada.sun.com
More information about the samba-technical
mailing list