On Fri, 28 Jan 2005 11:55:26 -0600, Scott Harney <[EMAIL PROTECTED]> wrote: > Andrew Baudouin wrote:
> > Exactly. It's not done by default. And most linux vendors don't do it > either. > Trying to strike a balance between security and usability on an > out-of-the-box installation is difficult and something all OS vendors struggle > with. Well, OpenBSD doesn't struggle with it ;) How usable would you say OpenBSD is? I can't even vouch for it. Do they have Gnome/KDE? > > I actually think the MS permissions system is much too granular and it makes > it > very difficult for admin's to understand how to properly lock down a box. > Understanding Windows permissions, group policies, and inheritance order is > important and not necessarily simple. In the *nix world, most situations are > easily covered with the user-group-other basic set of permissions. Special > cases can be handled by ACL's which are at least as granular as the Windows > permission system. I'd be willing to bet that most of the Linux users here > haven't even had a need to use ACL's in their environments.(1) Maybe it is just me, but I understand assigning DOMAIN\user change access to $DIR more than I can figure out the equivalent unix commands to do the same thing. I find myself 'man chmod' every time I want to do something. I still do not really understand how to assign permissions under unix correctly.... > I think most of MS's security problems come from the desktop nature/feature > support focus of the company as Andrew does. And of course they like to try > and hide complexity behind the GUI. I don't necessarily think it's a good > idea > to "dumb-down" security and systems administration when some of these concepts > have inherent complexity. We are going to have to disagree here. All of the complexity is visible in the GUI. Not only that, but in XP now there is an "effective permissions" dialog, which given a username, shows the effective permissions it will have on the current resources after all of the group are applied. > Remember, just because it is easy doesn't mean it's simple. Simple is almost > always good (at least in terms of security) but easy is not necessarily good. > OpenBSD is simple but not necessarily easy. The file system permissions > implementations in Windows in Unix provide a great example of what I am > talking > about. I feel the permissions/inheritance system in Windows is way too > complex > and leads to errors and omissions. It's certainly simple to change permissions > but do you as an admin really understand those details? Are my changes going > to > propagate into subdirectories? What about when group policy is re-applied > from > the AD controller? They propagate if you check the "propagate" option! :) Same thing when you use chmod -R vs without... > I also think MS's tight integration (think Exchange/Outlook/Office) offers > lots > of (potential) user benefits but provides unique vectors for virus infection > and exploits that you just don't see in *nix. Firefox vs. IE anyone? This is a tradeoff. Users will continue to use what gives them the most benefits. I don't personally believe that tight user integration correlates directly to insecurity, I just think the corporate attitudes need to change to "Release something after it's secure" rather than promising software on X date and pushing everything out of the way to release on that date. > (1) ACL's in the linux world are filesystem/kernel specific. A lot of > distributions include the support but it's not well-publicized. I've mainly > used ACL's on Solaris at work but the LInux implementations are pretty much > the > same. I'm not familiar with ACL support under Linux...... > -- > Scott Harney <[EMAIL PROTECTED]> > "Asking the wrong questions is the leading cause of wrong answers" > gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5 > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net >
