Learning more about AUTH

DAC controls, and why man should care

Traditionally Discretionary Access Control, or DAC as it is often known, has suffered from several deficiencies. The AUTH module attempts to address some of these issues by adding an additional layer of control over DAC related activities.

Some of the activities which the AUTH module restricts have been discussed earlier when we changed the set_uid flag on the login prompt and the ssh daemon. In addition to controls on which processes can change their uid the AUTH module also controls which processes can change their group.

CHANGE_GROUP, CHANGE_DAC_EFF_GROUP, CHANGE_DAC_FS_GROUP