Date: Thu, 1 Nov 2001 22:43:21 +1100 From: Edwin Groothuis <edwin@mavetju.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Tiny starter configuration for FreeBSD Message-ID: <20011101224321.H35710@k7.mavetju.org> In-Reply-To: <006b01c162c4$c6597cb0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 01, 2001 at 12:03:00PM %2B0100 References: <005a01c161ed$a19933c0$1401a8c0@tedm.placo.com> <5.1.0.14.2.20011101165340.02192a40@pop.ozemail.com.au> <005301c162bd$59ac2740$0a00000a@atkielski.com> <006e01c162bf$8c5d87e0$0b64a8c0@becca> <006b01c162c4$c6597cb0$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 01, 2001 at 12:03:00PM +0100, Anthony Atkielski wrote:
> > How much more granular do you want?
>
> The ability to assign permissions by user is very important. That is, user A
> must be able to read and write, user B must be able to execute only, and so on.
I have been following this thread for a while and have a couple of
questions/remarks:
Is this true:
The Windows security is based on who is running the console.
There can't be more than one person logged in at the same time.
The Unix security is based on who is logged in on the terminal.
There are numerous terminals on a Unix system.
If this above is true, it would explain the reasoning why there
are so many different groups in which you can put people (like:
group which can use the diskdrive, group which can erase the
trashcan, group which can setup tcp-sessions, group which can flush
the toilet) because of the impossibility to make changes if you
are not in the right group:
For a Unix-system, if the admin wants to change something for a
user, he often remotely logs in, makes the changes and logs off.
For a Windows-system, the current user has to logoff, the admin
has to login, make the change, logoffs and the user logs in again.
Me myself I don't have problems with the one-person-who-can-do-anything
principle because the seperation in groups is already built-in
under Unix (how I see it):
For example we needed a group of people who could restart a name-daemon.
One small script, owned by user root and group dnsadmin, permissions
4755: Only people who were in the group dnsadmin could do the task.
Another example for the network-troubleshooters: put these people
in the network group and they have read access to /dev/bpf*. No
need for root-access if they want to run tcpdump.
Maybe your example wasn't well formulated and you want to do it again?
Of course it can be that my examples weren't what you expected to
be, but these are from my experiences as system administrator who
had to walk between total user-anarchy vs system-security.
Edwin
--
Edwin Groothuis | Personal website: http://www.MavEtJu.org
edwin@mavetju.org | Interested in MUDs? Visit Fatal Dimensions:
------------------+ http://www.FatalDimensions.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011101224321.H35710>