Path: utzoo!censor!geac!jtsv16!uunet!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!RICHTER.MIT.EDU!krowitz
From: krowitz@RICHTER.MIT.EDU (David Krowitz)
Newsgroups: comp.sys.apollo
Subject: Re: Protection in Internets (kind of long...)
Message-ID: <8906051328.AA08749@richter.mit.edu>
Date: 5 Jun 89 13:28:46 GMT
Organization: The Internet
Lines: 31

Apollo has always provided the concept of node_admin's in addition
to that of sys_admin's. The sys_admin account is *meant* to be the
account for controlling the *entire* integrated network (along with
root and locksmith). If you want to make accounts that have control
only over a certain subset of the entire network, then create
accounts of the form 'user.node_admin.subset.%' and add ACL entries
on the nodes they control which are duplicates of the sys_admin
entries. Sys_admin accounts should only be given to those people
who are *supposed* to have priviledges on *all* machines.

The root account is a problem. Unix compatibility requires that it
have 'locksmith' priviledges. If it does not have complete
privildges, then you lose Unix compatibility. it's a clasic
catch-22. Unfortunately, you must have a 'root' account to perform
day-to-day system administration functions on a Unix machine
(unlike the Aegis 'locksmith' account, which is usually only
needed in extreme circumstances). If you want to have Unix
installed on a netowrk of integrated workstations, then you
either must accept that every 'root' user has access to
everything, or you must turn your local system administration
over to a centralized (and trusted!) group. 'root', as defined
by Unix standards, is equal to 'locksmith', as defined by Aegis.


 -- David Krowitz

krowitz@richter.mit.edu   (18.83.0.109)
krowitz%richter@eddie.mit.edu
krowitz%richter@athena.mit.edu
krowitz%richter.mit.edu@mitvma.bitnet
(in order of decreasing preference)