Date: Fri, 5 Jul 1996 19:48:44 -0400
In-Reply-To: <4rgci6$sar@ns2.ptd.net>
Message-ID:
References: <833058917.18622.0@melech.demon.co.uk> <4qf79l$d85@ns2.ptd.net> <4qmm1a$muk@digital.netvoyage.net> <4rgci6$sar@ns2.ptd.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Rex Ballard - Director of Electronic Distribution
Standard & Poor's/McGraw-Hill
Opinions expressed do not necessarily reflect
the Management of the McGraw-Hill Companies.
http://cnj.digex.net/~rballard
On 4 Jul 1996, Ed Tillman wrote:
> In article <4qmm1a$muk@digital.netvoyage.net>, jjs@digital.netvoyage.net
> says...
>
> >>This is more of a security problem than an NT vs Unix problem. At my
> >>workplace I spend a fair amount of time tracking down people in the Unix
> >>group so that I can pull files from the Unix boxes that I don't have
> >>permissions for.
> >
> >An appropriate question here would be
> >"Why don't you have permission to access those files
It's interesting that you are stuck because of too much security. In
reality, there are many ways to get the effect you want. Typically, you
will have workstations, departmental servers, and enterprise servers. The
Workstation can be used to keep private, confidential, or frequently
changed files. The Departmental server(s) can be used for communication
between workgroup members and between other workgroups. The enterprize
data can be used for storing "finished product", including reports that
you want to publish, source code in release format, and system accesss.
Workstations, Departmental, and Enterprise servers can all use NFS mounts
and exports to control who gets in and who gets out. In about 90 minutes,
you could whip up a TCL/TK script that will let you have a GUI interface
to the application if you like. Or you can just edit the files with VI
(the original UNIX DATABASE :-). Generally you can export to a "backup"
user that can do backups. You can also export directories and permission
them to specific hosts and/or users. Under NIS, you can upgrade them to
netgroups, which means the enterprise sysop can even lock you out of your
own machine (very useful when you are about to terminate an employee with
a high risk of going super user and typing rm -rf).
> More like a silly question since I just answered it. Because I'm not in the
> Unix development group and don't even have accounts on some of the
> machines. Does this mean that for a Unix system to operate the way everyone
> describes, you need to give everyone superuser access? Great security that.
Not at all. People need to be aware of what files they want to export and
which ones they consider private. You can have as much security as you
like, but the more you add, the more complicated it gets.
> >No, there is no need to create any "special shared directory" on
> >a Unix machine in order to allow access to files. Your home directory
> >would do - and most places on the system should be accessible as well,
> >unless you do not have an account on the machine at all (I would be
> >curious as to why) and can access the machine only via http or anonymous
> >ftp. The access priveleges of http and anonymous ftp clients is
> >restricted for very sound reasons.
I generally dislike exporting my entire home directory. This is
especially true when I have company confidential informaton (like
personnel information) that I don't even want my own subordinates to
view.
> I get in through NFS usually. I think I may have accounts on only two of the
> Unix machines. I'm not sure if I really want to get accounts on all of them as
> people who do tell me this involves maintaining 15-20 different account. I'll
> stick with my sigle login thanks.
Linux has another cute feature, if you want it. A single machine can
mount several other machines and become a "server" of the composite NFS
filesystems. For the Windows people, you can also make them available via
SAMBA to WFW users.
> >--
> >Joe Sloan - I have seen the future and it is Linux -
>
Rex Ballard
http://cnj.digex.net/~rballard
From rballard@cnj.digex.net Fri Jul 5 20:57:33 1996
Status: O
X-Status:
Newsgroups: comp.os.linux.advocacy,comp.os.ms-windows.nt.advocacy