next up previous
Next: Design Goals Up: Introduction Previous: History

Motivation

It is well known that the classic *nix style access control is insecure. For me, there are three major reasons:
  1. Small granularity: All you have are the access modes read, write and execute, set for the file or dir owner, the file's assigned group and all others. In very many cases, this is barely enough for secure administration.
  2. Discrete control: You have to put trust into all users, who handle sensitive or critical data, that they administrate access control accordingly. Due to their lack of personal group management, they can hardly do proper access control setups.

    Also, all discrete access control is like an invitation to trojans and viruses, who can do anything the respective user is allowed to do.

  3. Superuser root - the worst of these three problems: root has full access to everything, even the kernel memory, and is too often needed. Too much software has to start or even run under root account, e.g. many network daemons.

    Naturally, there are loads of exploits through this dangerous account.




2001-09-17