Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: Notesfiles; site hpvclc.UUCP Path: utzoo!watmath!clyde!cbosgd!ihnp4!houxm!vax135!cornell!uw-beaver!tikal!hplsla!hpvclc!ericr From: ericr@hpvclc.UUCP (ericr) Newsgroups: net.unix-wizards Subject: Re: new user id system idea. Message-ID: <18200004@hpvclc.UUCP> Date: Thu, 2-May-85 13:16:00 EDT Article-I.D.: hpvclc.18200004 Posted: Thu May 2 13:16:00 1985 Date-Received: Sun, 5-May-85 02:10:34 EDT References: <6611@ucbvax.UUCP> Lines: 46 Nf-ID: #R:ucbvax:-661100:hpvclc:18200004:000:1918 Nf-From: hpvclc!ericr May 2 10:16:00 1985 The idea as presented would be very handy. In fact, I once implemented the group administrator idea when I was at Washington State Univ. The main reason we did it was to overcome the system imposed limit of 255 uid's which we had at the time. The side-effect however was that a TA could manipulate his student accounts without free run of the system. Unfortunately, I did that some years ago and have no listings left. WSU cs dept. may still have it, but I am not sure. On the negative side about your suggestion, I see how many loopholes that can develop in our two-level security scheme; I just cringe when I think of what can develop with this multi-dimensional matrix that you suggest. I short, I think that security would suffer greatly. Several other systems including Hewlett Packard's MPE and Digital's RSX series OS's used more of a single dimension scheme where each use had a set of permission flags. I am more familiar with MPE so I will discuss some of its features. First, the 'super-user' has the SM (System Manager bit) set. This will allow him free run. The next level down is the 'AM' bit. He can create users within his account with their own logins and give them any permissions that he himself has. Then, there is the interactive permissions and batch permission flags. On the administration side, there is the OP (Operator) which will allow such sundry tasks as Spool control, backups, etc. He has no control on the account structure. The real beauty of this scheme is that you can mix and match to your heart's content to get the appropriate security scheme for each user. So, what I am suggesting is possibly the present uid and gid and an additional perm field which has permissions which can be individually mixed and matched. You asked for an opinion and you got it :) Eric Ross ihnp4!hpfcla!hpvcla!hpvclc!ericr Hewlett Packark Vancouver, Division (206)254-8110