From owner-freebsd-questions Thu Nov 1 3:43:47 2001 Delivered-To: freebsd-questions@freebsd.org Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141]) by hub.freebsd.org (Postfix) with ESMTP id 49CD837B401 for ; Thu, 1 Nov 2001 03:43:38 -0800 (PST) Received: from k7.mavetju.org (topaz.mdcc.cx [212.204.230.141]) by topaz.mdcc.cx (Postfix) with ESMTP id DC9472B72E; Thu, 1 Nov 2001 12:43:32 +0100 (CET) Received: by k7.mavetju.org (Postfix, from userid 1001) id 9B4DE74F; Thu, 1 Nov 2001 22:43:21 +1100 (EST) Date: Thu, 1 Nov 2001 22:43:21 +1100 From: Edwin Groothuis To: Anthony Atkielski Cc: FreeBSD Questions Subject: Re: Tiny starter configuration for FreeBSD Message-ID: <20011101224321.H35710@k7.mavetju.org> Mail-Followup-To: Edwin Groothuis , Anthony Atkielski , FreeBSD Questions References: <005a01c161ed$a19933c0$1401a8c0@tedm.placo.com> <5.1.0.14.2.20011101165340.02192a40@pop.ozemail.com.au> <005301c162bd$59ac2740$0a00000a@atkielski.com> <006e01c162bf$8c5d87e0$0b64a8c0@becca> <006b01c162c4$c6597cb0$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <006b01c162c4$c6597cb0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 01, 2001 at 12:03:00PM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 01, 2001 at 12:03:00PM +0100, Anthony Atkielski wrote: > > How much more granular do you want? > > The ability to assign permissions by user is very important. That is, user A > must be able to read and write, user B must be able to execute only, and so on. I have been following this thread for a while and have a couple of questions/remarks: Is this true: The Windows security is based on who is running the console. There can't be more than one person logged in at the same time. The Unix security is based on who is logged in on the terminal. There are numerous terminals on a Unix system. If this above is true, it would explain the reasoning why there are so many different groups in which you can put people (like: group which can use the diskdrive, group which can erase the trashcan, group which can setup tcp-sessions, group which can flush the toilet) because of the impossibility to make changes if you are not in the right group: For a Unix-system, if the admin wants to change something for a user, he often remotely logs in, makes the changes and logs off. For a Windows-system, the current user has to logoff, the admin has to login, make the change, logoffs and the user logs in again. Me myself I don't have problems with the one-person-who-can-do-anything principle because the seperation in groups is already built-in under Unix (how I see it): For example we needed a group of people who could restart a name-daemon. One small script, owned by user root and group dnsadmin, permissions 4755: Only people who were in the group dnsadmin could do the task. Another example for the network-troubleshooters: put these people in the network group and they have read access to /dev/bpf*. No need for root-access if they want to run tcpdump. Maybe your example wasn't well formulated and you want to do it again? Of course it can be that my examples weren't what you expected to be, but these are from my experiences as system administrator who had to walk between total user-anarchy vs system-security. Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin@mavetju.org | Interested in MUDs? Visit Fatal Dimensions: ------------------+ http://www.FatalDimensions.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message