On Tue, 18 Nov 2003 11:56, you wrote: > On Tue, 2003-11-18 at 11:30, Christopher Sawtell wrote: > > > The extension of this is ACLs - I've used ACL-based systems extensively > > > in the past, and without a decent management system, > > > > Can you recommend one? > > Nope. > > :-) Pity.
> I was hacking on VMS. Some aspects were deeply satisfying (like > privilege-escalation attacks ... VMS had an excessive number of > privileges for a user ...) but others were a little clunky (DCL, the > command scripting language ... and the COBOL-ish "program switches as > full words only" habits). > > You could specify ACLs on files, but they felt very added-on-later - > IIRC the standard directory lister didn't show them to you. You had to > remember to query each file to find out what the ACL for it was (It's > possible that I'm mis-remembering, or simply didn't know the right > commands). It was easy to declare unuseable combinations for a file. > > > > they become very > > > difficult to manage. Groups are clunky compared to ACLs, but generally > > > adequate. > > > > Note that the database systems offer fine control over access to the > > internal tables. > > Is that "fine control" as in "fine-grained control", or "excellent > control" ? I was thinking of the former, but both meanings apply. I like the concepts behind the sql GRANT command. > IMO, it's having two separate schemes for permission information that > leads to problems. If you're using ACLs, have by default ACL groups that > match the traditional unix permission categories, and hack 'ls' so that > it presents these permissions - or use ACLs, and set the unix > permissions to something "impossible", like 0000 ... thus reminding you > to refer to ACLs instead ... ACLs have only relatively arrived on the Linux scene. What you say is very true. -- Sincerely etc. Christopher Sawtell NB. This PC runs Linux. If you find a virus apparently from me, it has forged the e-mail headers on someone else's machine. Please do not notify me when this occurs. Thanks.
