Access control is the mechanism by which an operating system controls who gets access to what. For example, access control can prevent user Bob from messing with files owned by user Dan, and visa-versa.

At the highest level, there are two different kinds of access control. The more common kind is Discretionary Access Control, or DAC. With DAC, there is a certain person (or persons) to whom the access control simply doesn't apply; they can do anything. This person is known as root/superuser on UNIX, Administrator on NT, and various other names. If an attacker manages to get access to this person's account (the machine has been rooted), then it's game over.

The other type of access control is Mandatory Access Control, or MAC. With MAC, there isn't anything on the computer that has complete access to anything. Not only does this make things harder on external attackers, it also allows the job of the administrator/superuser to be split up among several people, making it harder for any single person on the inside to compromise security.

Log in or register to write something here or to contact authors.