Title: A Guide To Understanding Discretionary Access Control In Trusted Systems
Authors: National Computer Security Center
Abstract:
- This publication, "A Guide to Understanding Discretionary Access
Control In Trusted Systems," is issued by the National Computer
Security Center (NCSC) under the authority of and in accordance with
Department of Defense (DoD) Directive 5215.1, "Computer Security
Evaluation Center." The guidelines defined in this document are
intended to be used by computer hardware and software designers who
are building systems with the intent of meeting the requirements of
the Department of Defense Trusted Computer System Evaluation Criteria,
DoD 5200.28-STD.
Title: The Operator Shell: A Means Of Privilege Distribution In Unix
Authors: Michael Neuman Gary Christoph
Abstract:
- The Operator Shell (Osh) is a setuid root, security enhanced,
restricted shell for providing fine-grain distribution of system
privileges for a wide range of usages and requirements. Osh offers a
marked improvement over other Unix privilege distribution systems in
its ability to specify access to both commands and files, auditing
features, and familiar interface. This paper describes the design,
features, security considerations, internals, and applications of the
Operator Shell.
Title: Proxy-Based Authorization and Accounting for Distributed Systems
Authors: B. Clifford Neuman
Abstract:
- Despite recent widespread interest in the secure authentication
of principals across computer networks there has been considerably
less discussion of distributed mechanisms to support authorization
and accounting. By generalizing the authentication model to support
restricted proxies, both authorization and accounting can be easily
supported. This paper presents the proxy model for authorization
and shows how the model can be used to support a wide range of
authorization and accounting mechanisms. The proxy model strikes a
balance between access-control-list and capability-based mechanisms
allowing each to be used where appropiate and allowing their use in
conbination. The paper describes how restricted proxies can be
supported using existing authetication methods.
|