| Like this CertiGuide? Get it in PDF format! |
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31) |
|
| Also available: 300-question Security+ practice test! |
| Get It Here! |
|
|
1.1.2 Discretionary Access Control (DAC)
Discretionary Access Control (DAC)
is based on the user’s identity and the access control rules in
effect on the system. DAC is the type of access control most
commonly found in the PC and network computing worlds. NT/Windows
2000, Linux and UNIX for the most part use DAC. While MAC restricts
the copying of data, DAC does not. Instead, DAC leaves decisions like,
“to copy or not to copy,” up to the user’s discretion.
If you have read access on a DAC-based system, you can copy the data
(via copy/paste) if you wish. On MAC-based systems, which contain special
safeguards to prevent copying of sensitive data, which cannot happen.
Why might this be important? If you were permitted to copy the data
as well as view it, you could potentially store it in a separate file
you control, and set up your own list of users allowed to access it
– including users not permitted access to the original file, in
violation of the mandatory access control on the data.
One DAC model is owner-based DAC,
in which the owner controls access to resources they own. For
example, the user can grant or deny access to others, and define exactly
what types of access (such as read or write) are permitted.
DAC usually involves an Access
Control List (ACL) on each system object (file, device, etc.), which
specifies which users can have access to that object, and what type
of access (such as read, write or execute) they can have. ACLs offer
no protection against malicious programs like Trojan horses which typically
run with the logged-in user’s permissions. If a user runs a
Trojan horse, virus, etc., these programs can access whatever objects
that user is permitted to access. (Refer to 1.5.2)
An alternative to ACLs is to use
capability lists for each system user, specifying what resources
the user is permitted to access, and the types of access permitted.
(Note that the difference is that an ACL is assigned to an object,
and a capability list is assigned to a user).
 DAC
DAC models include owner-based, access matrix, centralized, decentralized or distributed. DAC is often implemented via ACLs. An ACL specifies the types of access different users can have to an object. ACLs are not a defense against Trojan horse programs.
|
| If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support! |
|
|
Home -
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.
|
