[E-Lang] Merits of ACLs

David Wagner daw@mozart.cs.berkeley.edu
1 Feb 2001 06:47:46 GMT

Thank you very much for your careful explanation!  Your
note forms one of the most cogent analyses of the issues
with ACL systems that I've ever had the pleasure to read.

I agree that choosing to group processes by "users" seems to
be both extremely widespread in existing implementations as well
as very problematic for delegation.  It is this choice of an
equivalence class that causes many of the problems in typical
implementations of ACL systems.

If I understand correctly, the introduction of the equivalence
class on subjects seems to have been motivated by performance:
it is probably unrealistic to try to store the entire access
control matrix without compression, because it would become too
large.  The problem is that the equivalence relation chosen was
too coarse.

In this context, I find the work on `domain and type enforcement'
(DTE) of interest.  Roughly speaking, `domains' are an equivalence
class on subjects (processes), and `types' are an equivalence class
on objects; then, rather than storing the whole access control
matrix, one simply stores access rights for each (domain,type) pair.
(There is also extra stuff tacked on that I haven't described.)
Note that DTE implementations do seem to avoid some of the problems
associated with grouping processes by "users".

Also, now that I've read your analysis, I am led to wonder whether
the design decisions in Unix-like operating systems may not have
been made based on performance more than security.  Consider:
if subjects (processes) come and go rapidly, you want to store
access rights with the subjects, so that when subjects are destroyed
it is easy to deallocate the corresponding access rights.  In contrast,
if objects come and go whereas subjects are fairly stable, you want
to store access rights with objects (again, purely on performance
grounds).  I find it interesting that, in a Unix-like formulation,
it is indeed objects ("files") that appear and disappear on much
shorter time-scales than the subjects (accounts in /etc/passwd).
One might speculate that these performance considerations were the
real reason Unix's ACL-based protection model looks the way it does.
Could it be?

Thank you again for taking the time to share your insights.
I found them truly educational and eye-opening.