Post #254,448
5/4/06 4:48:59 PM
|
ACLs versus UNIX User:Group security?
Having used Windows for a long time, I've gotten quite used to ACL-based security, and am now having to rewrap my mind around the Unix-style User:Group security model. I'm curious, is ACL considered a better security model, or is there a sane reason that User:Group is still used today in Linux?
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
|
Post #254,464
5/4/06 6:28:36 PM
|
if you mean access lists (ACL) you need both
tcp wrappers is a standard nix acl, user:group is still needed for granularity. thanx, bill
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
|
Post #254,466
5/4/06 7:11:27 PM
|
Remember, complex does not mean secure
There is a real advantage to having something simple enough that people can understand it. And if you want more complex stuff in Unix, you can get it.
And, of course, real security weenies consider both systems hopelessly bad...
Cheers, Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #254,469
5/4/06 9:46:47 PM
|
Besides which, I am under the impression
that the userid/groupid model in unix is just a wrapper around ACLs anyway.
--\n-------------------------------------------------------------------\n* Jack Troughton jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca] [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
|
Post #254,487
5/5/06 2:23:11 AM
|
My impression contradicts that
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #254,488
5/5/06 2:47:08 AM
|
Nah.
ACLs is a bolt-on in Linux.
Proprietary UNIX has more integrated support.
Peter [link|http://www.no2id.net/|Don't Let The Terrorists Win] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Home] Use P2P for legitimate purposes!
|
Post #254,498
5/5/06 9:46:35 AM
|
Bolt-on? How so?
It either works on the file system or it doesn't.
Only certain Filesystems actually support it. To the Kernel it is as much a bolt-on as is any of the loadable modules are. It is in the Core Kernel tree. How is that a Bolt-on? You could compile it into the kernel just like filesystem support, *IF* you wanted. Then you have to enable it on the filesystem in question.
Now, Pile-on I can buy. ACLs are on-top of existing UGO stuff.
Now, if you are talking about easy-to-use Point-n-drool... Sure, commercial *NIX have it better off. But would you REALLY call SAM in HPUX a *GOOD* interface for it? Or rather ANY of the Administration tools that commercial *NIX systems have? Hell I'd rather use Linuxconf with a custom module than any of those. Or even Webmin.
One thing Microsoft's stuff hasn't gotten right yet... is letting you into a Directory, then give you full read and execute in a sub-directory, without bleeding through the rights mask and screwing up the parent directory. You have to address it file by file.
Now, speaking of your beloved VMS, yes there is great model of security, Bolted on... but in replacement of other mechanisms... and rules with not just an Iron-Fist... but also a Powered-War-Hammer, as a fallback, has a auto-targetting-never-miss Sniper Rifle with quite few miles of range (real limits unknown). IOW, if you should not even know of the existance of a certain object/file/device... you'll have zero clue about it.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyFreedom is not FREE. Yeah, but 10s of Trillions of US Dollars? SELECT * FROM scog WHERE ethics > 0;
0 rows returned.
|
Post #254,508
5/5/06 10:56:58 AM
|
On "real security weenies"...
Yeah, there is no such thing as a secure computer. I know, I know...
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
|
Post #254,511
5/5/06 11:11:08 AM
|
But some are better than others
Capability based systems like, say, the AS 400 have a fundamentally better security model than any user access scheme. (Which both ACLs and the Unix model are.)
Cheers, Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #254,606
5/6/06 5:10:47 AM
|
Awooga! Pedant alert!
The AS/400 is the computer, and you can run Linux on that if you like.
You're referring to OS/400.
I now return you to your regular programme.
Peter [link|http://www.no2id.net/|Don't Let The Terrorists Win] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Home] Use P2P for legitimate purposes!
|
Post #254,625
5/6/06 10:49:59 AM
|
except for the giant gapers in it, ask skip offline
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
|
Post #254,757
5/8/06 11:18:55 AM
|
Will do but...
the point was that the model was better, not necessarily the implementation.
Similarly the model of ACLs has a lot of advantages over traditional Unix permissions, however that doesn't make Windows more secure.
Cheers, Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
|
Post #254,471
5/4/06 10:16:06 PM
|
Linux has both.
The older UGO security is the default, but ACLS have been available for quite a while.
apt-get install acl
Remount the filesystem to enable them.
man mount
Mount options for ext2 acl / noacl Support POSIX Access Control Lists (or not).
Start reading: man setfacl
|
Post #254,484
5/5/06 1:58:36 AM
|
UNIX has ACLs.
I prefer capability-based systems, like you can do with VMS identifiers, though.
Peter [link|http://www.no2id.net/|Don't Let The Terrorists Win] [link|http://www.kuro5hin.org|There is no K5 Cabal] [link|http://guildenstern.dyndns.org|Home] Use P2P for legitimate purposes!
|
Post #254,500
5/5/06 9:47:57 AM
|
see my "Bolt on? How so?" post.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyFreedom is not FREE. Yeah, but 10s of Trillions of US Dollars? SELECT * FROM scog WHERE ethics > 0;
0 rows returned.
|