On Tuesday 10 February 2004 05:28, Ez-Aton wrote:
> ... starting from Windows 2000 (i don't count WinNT as a real OS anyhow),
First an unrelated observation. Through the years I used to hear:
"Windows for Worgroups isn't real OS -- Win95 is true 32bit OS"
"Win9X is just a graphical shell -- WinNT is modern design done
by the same people who did VMS"
"WinNT is obsolete -- W2K is the future"
and I'm waiting for:
"W2K is the old world OS -- W2K server and .Net are true revolution"
This isn't against you specifically Ez, every Win* user I know thinks
the *previous* Windows sucks big time... isn't it weird?
Personally I'll take any day my first old slackware (kernel 0.99pl14)
with its FVWM (with GoodStuff config) -- it was functional, fast and stable.
And now to the important subject...
> Although we're a Linux list, knowing our competitors is an advantage, to my
> knowledge,
Agreed (at least by me).
> in AD, ... [description of ActiveDirectory relevant part]
Organization of various settings in a global hierarchy is an important
feature that generally eases administration. I'd like to put it in some
perspective:
1. Sometimes a valid idea is designed badly -- The famous example
is the Windwos Registry which had the same hierarchical organization
but was designed as monolithic binary file which everyone need
to access... not a pretty sight.
Note: the utmp/wtmp in Unix/linux present exactly the same design mistake
which explains the low validity of data you find there...
2. As a counter-example you may look at Linux GConf -- basically it's
the registry idea done the right way: decouple storage from interface
(curret plugins are XML, but that may be change), not a single
repositoty but several configurable ones (system-wide, per-user, etc.),
fits nicely with the regular permission model (each user has its
own gconfd, no suid access).
3. For site-wide hierarchical management many use LDAP. It is already
integrated in the important infrastructural applications -- login,
(via pam) Mail (sendmail, postfix, imap4, etc.) and more.
But one of your points is that this isn't integrated into every application
or the kernel (god forbid :-) like AD is in Windows. I'll try to
refer to this point later.
> ... setup access rights to most parts of Windows settings,
> and applications, enforce settings ...
This is a very important issue. The Linux kernel has implemented
internally capability based security for quite some time. However,
almost no one uses it.
I think one of the problems we have in attaching security information
to the user login, is that there are many cases of "non-login" usage:
- Someone is running a process via rsh/ssh (this isn't login).
- Someone is using my DISPLAY (consuming resources).
- Someone is using my disk via NFS (again,... resources).
- Packets are being routed via my computer (there are no "user"
credentials in the packets at all..)
Let's combine the above points into a real-life scenario:
I seat at computer A running via SSH a program on computer B
(with its DISPLAY apears on A of course). The program was
loaded from my NFS server C and establish a connection
to a server D, and the packets are routed through router E.
Now since the user activity is distributed, it's non-trivial
to apply some central policy to his actions.
You are correct that having a central policy helps. But the hard
question is if we can do it *without* sacrification of our
distributed world ("The network is the computer" [McNeily]).
> (I enforced Proxy settings for IE on every client computer just yesterday),
I'm not sure I understand what you mean by "enforced". Does it change the
settings in the Explorer preferences? Than this is not enforcement because
it depends on the cooperation of the Explorer program -- What would prevent
a user modifing the behaviour of Explorer? security by obscurity.
The correct place to enforce proxy settings is the firewall regardless
of the OS.
A Linux note:
The "old way" to set proxy was via environment variables -- this had the
excelent effect that you can do it at whatever level you want:
- For every user -- in system login scripts.
- For a single user -- in his own login script.
- For a single session -- on the command line.
The only downside was you have to start the application for it to take
effect. I wonder why modern browsers haven't left it as a *default*.
Of course if they use GConf, we can still have these properties.
> and do most of whatever comes to your mind.
Can you run scripts? If not, than it's good only for the simple cases of
variable=value settings and not places where you need to run some logic.
(It's true that most settings are these simple var=value cases).
--
Oron Peled Voice/Fax: +972-4-8228492
[EMAIL PROTECTED] http://www.actcom.co.il/~oron
"UNIX was not designed to stop you from doing stupid things, because
that would also stop you from doing clever things."
--Doug Gwyn
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
