On Tue, 18 Nov 2003 11:56, you wrote:
> On Tue, 2003-11-18 at 11:30, Christopher Sawtell wrote:
> > > The extension of this is ACLs - I've used ACL-based systems extensively
> > > in the past, and without a decent management system,
> >
> > Can you recommend one?
>
> Nope.
>
> :-)
Pity.

> I was hacking on VMS. Some aspects were deeply satisfying (like
> privilege-escalation attacks ... VMS had an excessive number of
> privileges for a user ...) but others were a little clunky (DCL, the
> command scripting language ... and the COBOL-ish "program switches as
> full words only" habits).
>
> You could specify ACLs on files, but they felt very added-on-later -
> IIRC the standard directory lister didn't show them to you. You had to
> remember to query each file to find out what the ACL for it was (It's
> possible that I'm mis-remembering, or simply didn't know the right
> commands). It was easy to declare unuseable combinations for a file.
>
> > > they become very
> > > difficult to manage. Groups are clunky compared to ACLs, but generally
> > > adequate.
> >
> > Note that the database systems offer fine control over access to the
> > internal tables.
>
> Is that "fine control" as in "fine-grained control", or "excellent
> control" ?
I was thinking of the former, but both meanings apply.
I like the concepts behind the sql GRANT command.

> IMO, it's having two separate schemes for permission information that
> leads to problems. If you're using ACLs, have by default ACL groups that
> match the traditional unix permission categories, and hack 'ls' so that
> it presents these permissions - or use ACLs, and set the unix
> permissions to something "impossible", like 0000 ... thus reminding you
> to refer to ACLs instead ...
ACLs have only relatively arrived on the Linux scene.
What you say is very true.

-- 
Sincerely etc.
Christopher Sawtell

NB. This PC runs Linux. If you find a virus apparently from me,
it has forged the e-mail headers on someone else's machine.
Please do not notify me when this occurs. Thanks.

Reply via email to