Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!pasteur!ucbvax!LUCID.COM!lnz
From: lnz@LUCID.COM (Leonard Zubkoff)
Newsgroups: comp.sys.apollo
Subject: apollo "native ethernet" is too good ???
Message-ID: <8810270047.AA00098@nineveh>
Date: 27 Oct 88 00:47:12 GMT
References: <21@lgnp1.MASA.COM>
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 22

Actually, it's not pretty, but you *can* have multiple multiple master
registries on the same network; it is, however, a bit of an administrative
nightmare.  What you need to do is manually arrange that all the person,
full_name, project, and organization information matches, with only the account
files being different.  This will allow the ring-segments to interoperate
reasonably, but somewhat inhibit logins from one segment to another.

Note that if a user has physical access to a machine, of course, they can just
netboot off a node in their own segment and gain control that way.  One problem
is that is essentially impossible to get around is the pervasiveness of
root/locksmith, but if a file has acl's that allow only local access (every
line of the form p.p.o.node_id), then I believe even remote root may be
protected against.  Of course that means you better not allow crp or rlogin.

If you want any sharing at all, it's next to impossible to really protect
yourself against a malicious user on another segment.  For example, even though
NFS by default maps root to nobody so that special access is not granted, a
system administrator on one segment (or on any remote NFS system) could create
a user id that matches yours, and then su to that id and access your files via
NFS.

		Leonard