Kevin Kreamer wrote: > -ray wrote: >> You can do things like this: For file.txt, willg and dustinp have >> read/write access to it. the admin group and the wheel group have >> read/write access to it. the users group only has read access to it. >> User ray and brad, even though they're in the users group are >> explicitely denied any access to the file. > > While it's great that the above is possible, the issue is that it is a > pain to maintain. For one file, it's not that big of a deal, but to do > that for any moderately sized organization, especially with turn-over -- > you end up with permissions that were great 6 months ago, but don't > match conditions today. > > In the above example, you'll probably have organizationally defined > groups that comprise (willg, dustinp), (ray, brad), and (all users > except (ray, brad)). You'll probably also have quite a few other > network resources that require permissions based on those groups. So, > you'll probably want to just add linus to the (willg, dustinp) group and > billg to the (ray, brad) group, instead of hunting down a bunch of files > to change permissions on.
I couldn't have said it better myself. The granular permissions of NT are great on paper. But in common practice, you rarely need them in *nix and you tend to solve the problem a bit differently. I _have_ had situations at work where ACL's made the most sense for a particular problem, but rarely and it was _well_ documented for future admins. I've seen MS's recommendations for filesystem permissions and groups and how to tier them carefully (can't find the link right now) and it makes good sense. And like *nix you'll rarely have to have individual specialized permissions if you do it correctly. However, people more often than not aren't aware of such methods and use the NTFS permissions willy nilly as described above. In the *nix world, it's essentially the reverse of that scenario. I like it the *nix way: simple by default with complexity available when needed. To paraphrase Larry Wall of Perl fame, make simple things easy and hard things possible. Pervasive complexity is the enemy of good security. -- Scott Harney<[EMAIL PROTECTED]> "Asking the wrong questions is the leading cause of wrong answers" gpg key fingerprint=7125 0BD3 8EC4 08D7 321D CEE9 F024 7DA6 0BC7 94E5
