> From: peter honeyman <[EMAIL PROTECTED]>
>> So if used by "normal" users, groups within groups may quickly become
>> a real quagmire. How do you adequately warn naive users of this phenomina?
> huh?!? just flip 'em the bird and move on to the next hack!
Ah, but your job is to keep software and servers healthy and happy,
not to keep students and faculty healthy and happy. Hey, now that I
think about it, you are one of those faculty members that some poor
admin (like I used to be) is required to keep happy! ;-} Now that
would be a challenging job!
>From: "Peter Lister, Cranfield Computer Centre" <[EMAIL PROTECTED]
>The first obvious answer is education - MAKE users aware that if they
>use someone ELSE's group, they are at the mercy of the group's owner
>(that's what ownership means).
Talk about contrasting viewpoints!
But I had 15000 users and 3000 new ones each semester. Sometimes you feel
lucky if you can get them to understand what klog does.
>From: Paul Howell <[EMAIL PROTECTED]>
>Please don't try to contrive various administrative control problems
>and try to solve them by implementing restrictions.
Not contrived. I was the Sys Admin for AFS at CMU for 5 years and
when we gave the users "the rope with which to hang themselves" - they
did. It becomes tiring to bail the "not-so-clever" people out of
these little crisises - we had better things to do with our time. It
became excedingly tiring when the "not-so-clever" person had a bit of
authority and gave you excessive grief about the fact that they where
able to shoot themselves in the foot. Perhaps my cell had more
"not-so-clever" users than yours. But I'll bet my cell was more
"typical" than yours in that regard.
>From: Paul Howell <[EMAIL PROTECTED]>
>Any restrictions you decide from your experience will undoubtedly
>not fit our site.
You're right. Any restrictions that anyone comes up with from any
experience will not fit the needs of every site.
>From: "Peter Lister, Cranfield Computer Centre" <[EMAIL PROTECTED]
>OK, now does THAT keep everyone happy? I'm a great believer in adding
>functionality where possible and useful, but I also believe in allowing
>a system manager to switch it off when he needs to.
Agreed. But coding in the ability for each administrator to customer
configure their AFS software would be a very time consuming task,
would make the system more complicated to install, configure and
administer, and must be weighed against the other fixes/features that
are needed/requested. Remember, groups within groups is only one tiny
corner of the system. If time is spent on an effort for super custom
configuration, do you really want it spent on this corner of AFS?
>From: Paul Howell <[EMAIL PROTECTED]>
>The current permissions on pt groups now is fine.
Wait, you're telling me you don't want or need groups within groups?
Perhaps Peter Lister's suggestion of
% pts set gogsformortals off
*is* the best one. gogs for sys:admins allowed and *you* decide if its
allowed for mortals. I have no idea what it would take to code up
this small ability for site custom configuration. Nonetheless, for
sites that turn gogsformortals on, I'll remain worried about the
not-so-clever mortals.
>From: "Peter Lister, Cranfield Computer Centre"
<[EMAIL PROTECTED]
>Not acceptable. [regarding the restriction of groups only containing
>groups owned by the same person] However, I would accept that a
>warning message could be returned (by default) which informs users
>that the group they're adding is owned by someone else and that
>they're giving that other person some administrative control and
>asks for confirmation.
Hmmm. Not a bad idea. Non mortals and clever mortals will tire of
the warning, but a -force switch could hush it.
I'd love to claim that my desire to look out for the "not-so-clever"
mortals was some great altruistic quality. Its more a desire to keep
the not-so-clever mortals from hanging themselves with the rope we
give them and expecting you to rescue them (and we, then, must rescue
you ;-).
Thanks for the input,
Pierette
