IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New ACLs versus UNIX User:Group security?
Having used Windows for a long time, I've gotten quite used to ACL-based security, and am now having to rewrap my mind around the Unix-style User:Group security model. I'm curious, is ACL considered a better security model, or is there a sane reason that User:Group is still used today in Linux?
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
New if you mean access lists (ACL) you need both
tcp wrappers is a standard nix acl, user:group is still needed for granularity.
thanx,
bill
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
New Remember, complex does not mean secure
There is a real advantage to having something simple enough that people can understand it. And if you want more complex stuff in Unix, you can get it.

And, of course, real security weenies consider both systems hopelessly bad...

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
New Besides which, I am under the impression
that the userid/groupid model in unix is just a wrapper around ACLs anyway.
--\n-------------------------------------------------------------------\n* Jack Troughton                            jake at consultron.ca *\n* [link|http://consultron.ca|http://consultron.ca]                   [link|irc://irc.ecomstation.ca|irc://irc.ecomstation.ca] *\n* Kingston Ontario Canada               [link|news://news.consultron.ca|news://news.consultron.ca] *\n-------------------------------------------------------------------
New My impression contradicts that
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
New Nah.
ACLs is a bolt-on in Linux.

Proprietary UNIX has more integrated support.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New Bolt-on? How so?
It either works on the file system or it doesn't.

Only certain Filesystems actually support it. To the Kernel it is as much a bolt-on as is any of the loadable modules are. It is in the Core Kernel tree. How is that a Bolt-on? You could compile it into the kernel just like filesystem support, *IF* you wanted. Then you have to enable it on the filesystem in question.

Now, Pile-on I can buy. ACLs are on-top of existing UGO stuff.

Now, if you are talking about easy-to-use Point-n-drool... Sure, commercial *NIX have it better off. But would you REALLY call SAM in HPUX a *GOOD* interface for it? Or rather ANY of the Administration tools that commercial *NIX systems have? Hell I'd rather use Linuxconf with a custom module than any of those. Or even Webmin.

One thing Microsoft's stuff hasn't gotten right yet... is letting you into a Directory, then give you full read and execute in a sub-directory, without bleeding through the rights mask and screwing up the parent directory. You have to address it file by file.

Now, speaking of your beloved VMS, yes there is great model of security, Bolted on... but in replacement of other mechanisms... and rules with not just an Iron-Fist... but also a Powered-War-Hammer, as a fallback, has a auto-targetting-never-miss Sniper Rifle with quite few miles of range (real limits unknown). IOW, if you should not even know of the existance of a certain object/file/device... you'll have zero clue about it.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
Freedom is not FREE.
Yeah, but 10s of Trillions of US Dollars?
SELECT * FROM scog WHERE ethics > 0;

0 rows returned.
New On "real security weenies"...
Yeah, there is no such thing as a secure computer. I know, I know...
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
New But some are better than others
Capability based systems like, say, the AS 400 have a fundamentally better security model than any user access scheme. (Which both ACLs and the Unix model are.)

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
New Awooga! Pedant alert!
The AS/400 is the computer, and you can run Linux on that if you like.

You're referring to OS/400.

I now return you to your regular programme.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New except for the giant gapers in it, ask skip offline
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free american and do not reflect the opinions of any person or company that I have had professional relations with in the past 50 years. meep
New Will do but...
the point was that the model was better, not necessarily the implementation.

Similarly the model of ACLs has a lot of advantages over traditional Unix permissions, however that doesn't make Windows more secure.

Cheers,
Ben
I have come to believe that idealism without discipline is a quick road to disaster, while discipline without idealism is pointless. -- Aaron Ward (my brother)
New Linux has both.
The older UGO security is the default, but ACLS
have been available for quite a while.

apt-get install acl

Remount the filesystem to enable them.

man mount

Mount options for ext2
acl / noacl
Support POSIX Access Control Lists (or not).

Start reading:
man setfacl
New UNIX has ACLs.
I prefer capability-based systems, like you can do with VMS identifiers, though.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New see my "Bolt on? How so?" post.
--
[link|mailto:greg@gregfolkert.net|greg],
[link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwethey
Freedom is not FREE.
Yeah, but 10s of Trillions of US Dollars?
SELECT * FROM scog WHERE ethics > 0;

0 rows returned.
     ACLs versus UNIX User:Group security? - (inthane-chan) - (14)
         if you mean access lists (ACL) you need both - (boxley)
         Remember, complex does not mean secure - (ben_tilly) - (9)
             Besides which, I am under the impression - (jake123) - (3)
                 My impression contradicts that -NT - (ben_tilly)
                 Nah. - (pwhysall) - (1)
                     Bolt-on? How so? - (folkert)
             On "real security weenies"... - (inthane-chan) - (4)
                 But some are better than others - (ben_tilly) - (3)
                     Awooga! Pedant alert! - (pwhysall)
                     except for the giant gapers in it, ask skip offline -NT - (boxley) - (1)
                         Will do but... - (ben_tilly)
         Linux has both. - (broomberg)
         UNIX has ACLs. - (pwhysall) - (1)
             see my "Bolt on? How so?" post. -NT - (folkert)

Powered by telekinesis!
54 ms