[lug] securing files

Bear Giles bgiles at coyotesong.com
Mon Apr 22 20:28:44 MDT 2002

> Right now they are on an NFS share.  I'd like to make it so that the
> files can't be copied anywhere but can still be read by the appropriate
> people.

This sounds like "mandatory access control (MAC)."  NSA Linux may have
it now, but probably doesn't.  The way it works is the file system 
maintains some extra bits (e.g., do-not-copy, do-not-print, 
print-only-with-security-banner, etc. and all applications honor these

But I don't think any COTS OS supports MAC.  The problem is the standard
access control (including ACLs) and discretionary access control (DAC)
can be implemented in the OS, while MAC requires that every application
also be well behaved.  That's possible in a tightly constrained environment,
but not COTS software.

This level of paranoia is appropriate if the data getting out could
reasonably result in a few hundred million deaths.  Somehow I doubt
you're dealing with equally sensitive material.

So what's the real story here?  Why are you looking for a technical 
solution to the "no copy" policy, instead of relying on standard 
management tools like NDAs, bad performance reviews and possibly even
termination of people to don't follow policy?


More information about the LUG mailing list