1.1.2 Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is based on the users identity and the access control rules in effect on the system. DAC is the type of access control most commonly found in the PC and network computing worlds. NT/Windows 2000, Linux and UNIX for the most part use DAC. While MAC restricts the copying of data, DAC does not. Instead, DAC leaves decisions like, to copy or not to copy, up to the users discretion. If you have read access on a DAC-based system, you can copy the data (via copy/paste) if you wish. On MAC-based systems, which contain special safeguards to prevent copying of sensitive data, which cannot happen. Why might this be important? If you were permitted to copy the data as well as view it, you could potentially store it in a separate file you control, and set up your own list of users allowed to access it including users not permitted access to the original file, in violation of the mandatory access control on the data.
One DAC model is owner-based DAC, in which the owner controls access to resources they own. For example, the user can grant or deny access to others, and define exactly what types of access (such as read or write) are permitted.
DAC usually involves an Access Control List (ACL) on each system object (file, device, etc.), which specifies which users can have access to that object, and what type of access (such as read, write or execute) they can have. ACLs offer no protection against malicious programs like Trojan horses which typically run with the logged-in users permissions. If a user runs a Trojan horse, virus, etc., these programs can access whatever objects that user is permitted to access. (Refer to 1.5.2)
An alternative to ACLs is to use capability lists for each system user, specifying what resources the user is permitted to access, and the types of access permitted. (Note that the difference is that an ACL is assigned to an object, and a capability list is assigned to a user).
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.