1

Citing wikipedia's MAC article:

With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users.

From what I've read, with MAC, the system defines security levels and with DAC, each user is responsible for assigning permissions to access its files based on user identity and not on security level.

In Unix, you cannot assign access to a specific user to a file based on its identity (considering only the rwx permissions with groups, and not ACL). You can't even change the file ownership to another user without elevated permissions. Besides, even if you could, the access is evaluated based on your "ownership" or "membership" (owner, group or other) and not on each user's identity. This also resembles more of a MAC model than DAC.

So why is linux filesystem permissions modele considered a DAC model?

user134167
  • 141
  • 1
  • 3
  • 8
  • Related, look into FACLs on Unix/Linux where you can indeed give out individual permissions, DAC style. – multithr3at3d Dec 05 '18 at 14:06
  • Yes, thats why I specified "considering only the rwx permissions with groups, and not ACL", but Wikipedia only refers to the traiditional permissions. – user134167 Dec 05 '18 at 14:20

3 Answers3

7

I don't think the granularity of permissions that can be achieved is relevant here. It doesn't matter if permission can be assigned to specific users, it matters which users can change permissions. Perhaps the DAC article is more clear about this:

In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria[1] "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)".

(emphasis mine)

The key difference between MAC and DAC is that with DAC someone who has certain permissions to a file is able to alter that file's permissions.

The term DAC is commonly used in contexts that assume that every object has an owner that controls the permissions to access the object, probably because many systems do implement DAC using the concept of an owner. But the TCSEC definition does not say anything about owners, so technically an access control system doesn't have to have a concept of owner to meet the TCSEC definition of DAC.

Users (owners) have under this DAC implementation the ability to make policy decisions and/or assign security attributes. A straightforward example is the Unix file mode which represent write, read, and execute in each of the 3 bits for each of User, Group and Others. (It is prepended by another bit that indicates additional characteristics).

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
6

In a discretionary access control system the owner of the source decides who can access data. In a mandatory access control system an admin decides who can access data, which is then typically determined by policy. For example, all files in the ABC directory can only be read by XYZ users. In a MAC system no non-XYZ users could read the file. In a DAC system the owner of the file could say "screw the admins, I'm going to make those files globally readable." That's what happens with Linux file systems, hence they're DAC by default.

Note: With SELinux enabled what's described above is no longer true.

Swashbuckler
  • 2,115
  • 8
  • 9
1

This is a good thread on this subject.

There is a lot of confusion and overloaded terms when it comes to security models. (e.g. Discretionary Access Control vs Non-Discretionary Access Control vs/AKA Mandatory Access control.

Even searching across NIST documents/definitions you will find inconsistencies in terminology.

On top of the aspects discussed above, there is another level of "discretion" in some systems that can add to the confusion. As stated in vanilla linux, it is only possible for the "owner" of the file to change permissions. Now think of a system like google docs, where a the owner of a doc can give a 3rd party (another google user) the right to share a file with a 4th party. :)

I'm currently trying to come up with a phrase that describes this "googleDoc" kind of additional discretion. I started out going down this path thinking of DAC/MAC from the perspective of the 3rd party.

Ken Adler
  • 11
  • 1