Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbosgd!gatech!ut-sally!im4u!smoot
From: smoot@im4u.UUCP (Mitchell)
Newsgroups: net.unix-wizards
Subject: Re: Symbolic user names and RFS
Message-ID: <759@im4u.UUCP>
Date: Sun, 16-Feb-86 12:45:13 EST
Article-I.D.: im4u.759
Posted: Sun Feb 16 12:45:13 1986
Date-Received: Mon, 17-Feb-86 06:23:35 EST
References: <674@oliveb.UUCP> <1246@ubc-ean.UUCP>
Organization: U. Texas CS Dept., Austin, Texas
Lines: 25
Keywords: RFS chown
Summary: Security in an networking environment

It seems that it is *imperative* for security reasons to have the same
UID/GID ==> username mapping on any systems which share filesystems.
Here at the University of Texas CS Dept, we run mostly 4.2 BSD systems and have
been very careful to maintain a uniform user and group mapping system.
We handle it by having a master copy of the password and group files
maintained on a single system and then distribute particular user
accounts to specific machines.  i.e. everyone doesn't have a userid
on every machine, but a single users userid is the same on every machine
he is validated to use.

Do do otherwise seems to invite all kinds of chaos.  We have developed 
software to handle this situation when validating new accounts (mostly
shell scripts).  Anyone who is interested in getting a copy of the stuff
we use is more than welcome to it.

I am also investigating using the ARPA Internet nameservice to
handle these mappings in a more uniform way.  I'll let everybody
know if I have success in that endeavor.

I might add that we do have a number of departments sharing the same
ethernet that do not participate in the uniform naming system we use.
Of course, if we decide to share files with them using a network file
system, that problem will have to be straightened out.  We have encouraged
other departments to use the same system we have, at least on the
systems they own with varying degrees of success.