rbk@sri-unix (12/02/82)
I'd like to add more fuel to the "let's change UNIX access protection" debate. I was involved in the design of the file-system and access protection mechanism for the iRMX-86 operating system. The RMX file-system is hierarchical much like UNIX, although it does not support links or "mounting". The "mount" concept is handled in a different manner via what's called "logical names", and is not germane to this discussion. I think some of the techniques used were useful, so I'll summarize here: Each file supports three totally orthogonal sets of user classes: the owner of the file, and two "groups". By convention, there is one particular "group" that represents the "world" of all users. The file system could support an arbitrary number of accessors (ie, an access list), but it has only been implemented to 3. When a file is opened, the process opening it gets all the access it is entitled to based on a user-object that lists the user and groups the user is associated with (ie, all applicable access bits are OR'd). Thus, it is impossible to give a user less access than the group that user is in. Access bits for File: D Delete (ie, the file) R Read A Append (to the end) U Update (ie, modify current contents) The U,A bits have the modify/append flavor that's been discussed thus far. The same bits for a directory have somewhat different semantics (with the same encoding): D Delete (the directory) L List (as in read, as for "ls") A Add entry (ie, can create new entry) C Change entry (allows changing of an entry) The interesting one is "C"; this allows someone that has "C" access to a directory to have arbitrary control over the files listed in that directory. This uses the nature of the hierarchy in the access model as well as the organization model. Thus, you can change the access bits for these files and allow yourself to delete files, *and* you can change the listed accessors of the file (you cannot, however change the owner of the file). This means that if you control a directory, you control (albiet indirectly) the ENTIRE sub-tree under it. Also, the owner of a file can always change the accessor list of the file. Any comments? Bob Beck Intel Corp. ...hplabs!intelqa!omsvax!rbk