 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Fredrik Eriksson wrote:
> On Mon, 11 May 2009 17:58:49 +0200, Darren New <dne### [at] san rrcom> wrote:
>>> (I wonder how you get it to do the thing where it *asks* for
>>> permission to do stuff?)
>>
>> There's a flag in the header of the executable.
>
> Is there? I thought this was configured in the manifest.
I was sloppy. I should have said "it's a flag in the metadata in the
executable". Better? :-)
--
Darren New, San Diego CA, USA (PST)
There's no CD like OCD, there's no CD I knoooow!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Unless you have an example of a UNIX file system whose permissions are
> comparable to NTFS's? If you do, let me know, because that would be
> awesome.
There ARE ACL systems for Unix.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> Darren New wrote:
>> Unless you have an example of a UNIX file system whose permissions are
>> comparable to NTFS's? If you do, let me know, because that would be
>> awesome.
>
> There ARE ACL systems for Unix.
Yes, but still based on the UID, on root having all access, and so on. And
as far as I can tell, no per-file encryption, no inherited permissions.
For example, when I can unplug a USB drive off one Unix system and plug it
into a different one and Fred (uid 1002) can't get to Jane's files (also uid
1002) on the USB drive, I'll be pleasantly surprised. Is there anything
already in Linux or whatever to make that work?
Does the Linux equivalent of "active directory" (which was Kerberos last I
looked) interact with the local file system well?
--
Darren New, San Diego CA, USA (PST)
There's no CD like OCD, there's no CD I knoooow!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> For example, when I can unplug a USB drive off one Unix system and plug
> it into a different one and Fred (uid 1002) can't get to Jane's files
> (also uid 1002) on the USB drive, I'll be pleasantly surprised. Is there
> anything already in Linux or whatever to make that work?
Windows does this by assigning to every PC and every domain a large
random number which is hopefully "unique". Every user account created on
a specific PC has that PC's number as part of the account number.
Similarly, every domain user account has the domain number as part of
the account number.
If, by some freak of nature, two machines had the same ID, you could
indeed to weird stuff like what you're suggesting. It's just rather
unlikely. (Cloning a harddrive image and forgetting to randomise the ID
afterwards is about the only way...)
> Does the Linux equivalent of "active directory" (which was Kerberos last
> I looked) interact with the local file system well?
Last I checked, Active Directory uses the (pre-existing) Kerberos
network protocol for authentication.
As I understand it, Kerberos defines the wire protocol for how an
arbitrary client connects to an arbitrary server and authenticates
itself. What kind of security model you build using this is completely
up to you.
In the case of MS, they built the domain model. [Or, more exactly, took
their existing domain model and replaced the horribly broken LANMAN
subsystem with Kerberos.]
Kerberos says nothing about what happens on the local machine. The MS
domain security model does.
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> Kerberos says nothing about what happens on the local machine. The MS
> domain security model does.
Right. And my basic question there was whether the UNIX stuff underlying the
kerberos can distinguish uid 1002 on one machine from uid 1002 on another
machine.
--
Darren New, San Diego CA, USA (PST)
There's no CD like OCD, there's no CD I knoooow!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 12 May 2009 13:54:10 -0700, Darren New wrote:
> Yes, but still based on the UID, on root having all access, and so on.
> And as far as I can tell, no per-file encryption, no inherited
> permissions.
Novell Storage System (NSS) on Linux isn't based on this at all. ACLs
are completely eDirectory-dependent and root (while they might be able to
see stuff in the filesystem) doesn't automatically have all rights to the
files.
:-)
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> Orchid XP v8 wrote:
>> Kerberos says nothing about what happens on the local machine. The MS
>> domain security model does.
>
> Right. And my basic question there was whether the UNIX stuff underlying
> the kerberos can distinguish uid 1002 on one machine from uid 1002 on
> another machine.
In the same way a Windows domain has globally-unique UIDs shared between
systems, I guess you could network-mount or in some other way
keep /etc/passwd synced across computers. Then a username will mean the
same UID in any machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson wrote:
> Novell Storage System (NSS) on Linux isn't based on this at all.
How does NSS know who is trying to access the files? Do you have to use a
non-Linux login to connect to the storage system or something?
--
Darren New, San Diego CA, USA (PST)
There's no CD like OCD, there's no CD I knoooow!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Nicolas Alvarez wrote:
> In the same way a Windows domain has globally-unique UIDs shared between
> systems, I guess you could network-mount or in some other way
> keep /etc/passwd synced across computers.
Only if they're all network connected from the start. I can't take two
already-set-up UNIX machines and connect them both to the same NFS drives
and not expect problems, for example.
Windows manages to make this work even without a domain or network
connectivity. Sure, you can get around it with work, but the default isn't
to confuse two accounts as one just because they come from different machines.
--
Darren New, San Diego CA, USA (PST)
There's no CD like OCD, there's no CD I knoooow!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Tue, 12 May 2009 20:10:29 -0700, Darren New wrote:
> Jim Henderson wrote:
>> Novell Storage System (NSS) on Linux isn't based on this at all.
>
> How does NSS know who is trying to access the files? Do you have to use
> a non-Linux login to connect to the storage system or something?
Yes, you login through eDirectory.
The eDirectory user can be a LUM (Linux User Management) enabled user,
which uses the LDAP integration to authenticate local users to the
directory, but yeah, it can be configured to be entirely independent of
the OS' use of UID.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
