Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!seismo!gatech!bloom-beacon!langz From: langz@athena.mit.edu (Lang Zerner) Newsgroups: comp.misc Subject: Re: access-lists vs. unix permissions Message-ID: <1151@bloom-beacon.MIT.EDU> Date: Thu, 16-Jul-87 13:39:46 EDT Article-I.D.: bloom-be.1151 Posted: Thu Jul 16 13:39:46 1987 Date-Received: Sat, 18-Jul-87 07:46:34 EDT References: <1334@ssc-vax.UUCP> <860@ssc-bee.ssc-vax.UUCP> Sender: daemon@bloom-beacon.MIT.EDU Reply-To: langz@athena.mit.edu (Lang Zerner) Organization: Massachusetts Institute of Technology Lines: 41 In article <860@ssc-bee.ssc-vax.UUCP> nelson@ssc-vax.UUCP (Paul W. Nelson) writes: >in article <1334@ssc-vax.UUCP>, herber@ssc-vax.UUCP (David A Wilson) says: >> I can see no reason >> that unix permissions cannot provide equivalent level of data access >> protection to access-lists. With multiple group membership, such as provided >> in BSD Unix, file access can be controlled to any level desired. > >The problem with this approach is that it requires the system administrator >to set up new groups. This is a real problem, but it could be easily gotten around by implementing access-group utilities which had write permision to /etc/group, but did not give that permission to their invokers. For example, adduser could make sure that it's caller owns the file before adding to the access group for . That way, the user would not have the ability to arbitrarily diddle /etc/group, but would nevertheless be able to alter the access groups to his or her own files *without* contacting a system administrator. >How many groups do you think would be required to >cover each file that needs access-list type protection? It could be very >significant, Not relative to the number of access lists you would need to provide the same protection. You would need exactly one group for each file which had access list protection, just as you'd need exactly one access list per file in an access list-based system. >not to mention cumbersome trying to remember which group goes >with which file. Quite simple, really, if you just use group names like "/usr/jruser/libX.a". Remember that /etc/group is an ASCII file, so it's not a problem to use slashes and punctuation characters (except the colon) in group names. ------------------------------------------------------------------------------ Lang Zerner ARPA/Internet: langz@athena.mit.edu UUCP/Usenet: ...{mirror|seismo|blblbl}!mit-eddie!langz@athena USPS: P.O. Box 247, M.I.T. Branch, Cambridge, MA 02139 Phone: 617/628-7156 "Nothing is ever accomplished by a reasonable man." -- George Bernard Shaw ==============================================================================