October 16, 2001, 12:00 AM — Given the recent flood of new worms and viruses infecting the Net, it
is worth noting that systems designed to be impervious to these types
of threats are available. But are they really appropriate for
developing and serving Web sites? Yes and no.
A concept called Mandatory Access Control (MAC) makes many of these
secure operating systems different. Though it has been around since the
80's, MAC is still (literally) an obscure bureaucratic methodology not
easily explained in plain language.
What is Mandatory Access Control?
The relationships are divvied up between subjects and objects. The
subjects can be thought of as users, or anything accessing an object.
An object is the process, file, or piece of information being accessed.
All subjects are assigned domains, which can be thought of as security
clearances, and all objects are assigned types, which can be thought of
as security classifications. Security policies are created based upon
the sensitivity of the object not at the discretion of the user that
The subject (a user, process, or administrator) may be able to access a
file, but, because the file retains its classification label, they may
not be able to transfer it to another user, or use any system utilities
to copy it from the system. The system recognizes the label on the
file, and will not allow the file to be read or otherwise processed by
a user or process of lesser clearance. The system will check the file
for its classification, and deny another process access to the file
unless the process has adequate clearance.
How is this different from regular Unix permissions?
Any user with ownership of the file can modify regular Unix
permissions. Regardless of the information's sensitivity in a file, it
can be copied, e-mailed, or read by a user if the file's permissions
(read, write, execute, relative to the user, their group, and Everyone)
In a MAC system, if a file has been given a specific level of
sensitivity (or context), then the system will not allow certain users,
programs, or even administrators to perform operations on the file.
Though this may sound like a subtle difference, imagine you were able
to set a log file's sensitivity higher than that of the mailer program.
Though you could read, write, and copy the file as needed, not even an
administrator could email the file to another system because the mailer
lacks the clearance to handle information with your file's level of
classification. It is a shift in perspective from using users
like "nobody", "uucp", "www" and their accompanying group ID's to
separate duties on the system, to requiring that each file on the
system have authoritative security information about itself.
Next Week: Mandatory Access Control, Part 2: Enter SELinux