begin quoting Wade Curry as of Sat, Nov 26, 2005 at 03:13:45PM -0800: [snip] > As powerful as RACF is (MVS security product), people still are > able to break and abuse it regularly. Being based on ACLs really > is a huge benefit, though.
Anything resembling a CL (capabilities list)? > The way the mainframers think about password and data security is a > little different, though. It is common with Linux to see a > group created to provide access to files, and then add a user to > the groups that allow appropriate access. Mainframers see groups > as defining the function of the person. Everyone belongs to one > -and only one- group. Each dataset profile then has an entry > defining the type of access for each and every user or group that > needs it. Part of this comes from (I suspect) the security models in those communities. Linux is user-centric: I want access to THOSE files and I don't want YOU to access them. Mainframes probably hew a bit closer to Orange Book specifications; and a big component of _that_ is covert channel mitigation. Having a user belong to separate groups is just *asking* for covert channel headaches. -Stewart "DEC had a VAX kernel rated at A1, but nobody wanted it" Stremler -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
