Path: utzoo!utgpu!watmath!clyde!att!alberta!calgary!cpsc!thompson From: thompson@cpsc.ucalgary.ca (Bruce Thompson) Newsgroups: comp.sys.apollo Subject: Re: flame on aegis acls (was re: acls probs with domain/ix) Summary: What about project leaders/administrators? Message-ID: <337@cs-spool.calgary.UUCP> Date: 16 Dec 88 02:20:10 GMT References: <8812100838.AA25757@umix.cc.umich.edu> Sender: news@calgary.UUCP Lines: 41 In article <8812100838.AA25757@umix.cc.umich.edu>, GBOPOLY1@NUSVM.BITNET (fclim) writes: > > furthermore, i don't understand why any user would want to take the > 'p' right away from himself and give it to others. a simple /etc/chown > is much better. > if i am in a project group, i will still retain the 'p' right on > the files that i create. but, i will not give 'p' and 'g' rights > to the members of my group; although i may give them both 'r' and > 'w' rights. i don't forsee any reason why members would want to > (g)rant a subset of the acls to persons outside of the project group > and to (p)rotect (or unprotect) the files that i've initiated. > any granting and protecting should be done by me, the author. I think that a valid point is being missed here. It seems to me that a project leader/administrator would find the (P) and (G) rights extremely useful. This would allow him/her to take full responsibility for the security of the project's tree, granting project members appropriate rights, etc. This would tend to support a decentralized system admin. approach. The overall (root) system administrators could spend their time dealing with global issues, while the individual project administrators deal with issues concerning the particular project. As well, a project administrator has the freedom to create shared directory areas, where the issue of who 'owns' the directory, and/or the files and sub-directories, is moot. Take a look some time at the project administration/system administration setup in use on MULTICS systems. It seems to me that the ACLs on Apollos were intended to allow this sort of admin. organization. The key point though is that there is nothing which implies that this sort of approach MUST be used. Admittedly, this whole issue seems to have evolved out of a legitimate complaint with regards to the UNIX to AEGIS security mappings, I don't think the problem resides in the additional functionality which ACLs provide. Cheers, Bruce Thompson ------------------------------------------------------------------------------ Bruce Thompson | "Never get into an argument with a University of Calgary, | fool. People may not be able to Computer Science Department | tell the difference" - ???? (403)220-3538 or (403)220-5017 (office) | | "Don't look at me, I only say ...!alberta!calgary!vaxb!thompson | them."