Why one does NOT want access lists (in files).

Wed Oct 21 03:06:44 AEST 1981

>From walton at LL-XN Wed Oct 21 02:35:50 1981
There are at least two kinds of file protection system.  One, which I call
the work oriented one, associates a single lock with each file and a list
of keys with each process.  It aims to ensure that people get their work
done smoothly with little bother from the protection system.  The major
sin in this philosophy is for a legitimate user to be thwarted by the
protection system: so the emphasis is on making sure that everyone who
needs a key has it, without going overboard.

The other, which I call the security oriented one, associates one user id
with each process and a list of user id's with each file.  This is
appropriate to a real security system with strict monitoring of file
access, with only users with a need-to-know having access, etc.
The last thing you want to do is group users together in such a system.

The latter system is what I think of as an access list system, like
something Ken Thompson talked about adding to UNIX years ago, with
an access list for each file.  MULTICS apparently has such a system.
I suppose the former system might also be called an access list system,
but I am not used to it being called such.  Do not know quite what
to call it, frankly.  A lock-and-key list system maybe.  The idea
is that the locks are dumb, like real world locks, whereas a file
access list is a smart lock.

This latter system is not that appropriate for UNIX, except for KSOS, NSA's
attempt to make a version of UNIX suitable for use in a real security
environment.  Its too easy to lose control of security in other ways
in UNIX.  The first system is work oriented because it is easier
to maintain keys than locks, since each user deals with only one user
but many files, so a system with dumb easily maintained locks on the
files and smart lists of keys is easier to work with than a system
with smart locks and dumb keys.

I have an interesting hypothesis to the effect that there is no real
use for a system that maintains a list of group id's with the process
and another with the file's and attempts a full matrix match.
I.e., it is sufficient to have smart keys interacting with dumb locks
and smart locks with dumb keys, but not have any interaction between
smart keys and smart locks.

Of course everything is an efficiency matter in the end, since either
of the above systems can be used to emulate the other, but with such
poor efficiency and bad user confusion that one would not want to do it
very much.

I find this is my third missive on this subject in a few days: one
proposal and two responses.  I am going to try the combined strategy
of accumulating public responses and responding in appropriate cases only
to individuals in order to reduce this rate.  Unfortunately, while
proposals in this area are often simple, analysis of the requirements
placed on such a system is not, so I hope the rest of you will
tolerate me if I invite debate for a little while longer.