[lug] securing files
Bear Giles
bgiles at coyotesong.com
Mon Apr 22 20:28:44 MDT 2002
> Right now they are on an NFS share. I'd like to make it so that the
> files can't be copied anywhere but can still be read by the appropriate
> people.
This sounds like "mandatory access control (MAC)." NSA Linux may have
it now, but probably doesn't. The way it works is the file system
maintains some extra bits (e.g., do-not-copy, do-not-print,
print-only-with-security-banner, etc. and all applications honor these
bits).
But I don't think any COTS OS supports MAC. The problem is the standard
access control (including ACLs) and discretionary access control (DAC)
can be implemented in the OS, while MAC requires that every application
also be well behaved. That's possible in a tightly constrained environment,
but not COTS software.
This level of paranoia is appropriate if the data getting out could
reasonably result in a few hundred million deaths. Somehow I doubt
you're dealing with equally sensitive material.
So what's the real story here? Why are you looking for a technical
solution to the "no copy" policy, instead of relying on standard
management tools like NDAs, bad performance reviews and possibly even
termination of people to don't follow policy?
Bear
More information about the LUG
mailing list