phcolaris wrote:
thanks Bob.
of course Solaris itself is very good multi-user and safe OS. But as
you've pointed out, there are situation where the requirements are
different. I guess that this is partly question for Trusted Solaris
Extensions, which btw were announced for spring 06 if I'm right. And
user management which would be able to handle this.
How this is in your organisations? Can you simply go to root directories
or other users directories?
Our org is spread out globally, and there is some
variance in policy by geos. The default home
directory permission does not allow others to see
into it (mod 0700), but I open mine up to help
with sharing, and only close down perms on stuff
that specifically needs to be kept more secure. I
think we're moving towards a model where you can
only access home directory servers where your home
resides.
Bob, do you know about the Trusted Extensions for Solaris10 and JDS?
We don't support it yet, and won't support it
instantly once it's released. I'm not allowed to comment on
future plans, but you could get more info
regarding our plans in this area if you signed a
CDA with you local Sun sales rep.
I'll let somebody more familiar with it comment on
the notion of using S10 Trusted Extensions for a general
use application. Mike? Would you recommend this approach?
Is any way to create 'virtual' users for SGD/Ray who would be able to
use the JDS and required applications and keep them in their home
directories (a bit alike some ftp servers)?
I'm not familiar with SGD, sorry.
-Bob
I guess I can't be the only one looking for such solutions.
thanks to all,
-philip
On Thu, 2006-08-31 at 15:47 -0400, Bob Doolittle wrote:
I'm looking for a way how to keep users in their home directories - so
that SGD/Ray users can't go and see other users and the root file
system, simply not leave their /home/~ directory
I've been playing around with few options (eg SUDO,containers or jail),
but that isn't the right answer.
Please be cautious about bringing a PC bias to this problem.
Unix and Solaris in particular were designed from inception to be
multi-user safe and friendly. The whole suite of access perms,
ACLs, etc are designed to protect users from each other.
The problem with chroot is that it effectively eliminates the
ability to run system tools, which is not really appropriate for
end-users. You may be able work around this but it's kludgey.
Zones are more suitable, but as you point out heavy-weight for
a large user community. Unless you need users to have privileged
roles within zones this is probably unnecessary.
In recent times there has been a migration of users to single-user
environments, and we tend to forget that multi-user environments
are alive and well.
So in summary my only caution is to not over-constrain your solution.
There are clearly needs to sometimes provide extra protection between
user domains. I see this primarily between Corporate entities sharing
a single server, such as an ASP sort of environment, where the partitioning
is between Corporate user communities, not individual users. Zones
scales better at this level of granularity.
My 2c.
-Bob
These opinions are my own, not my employers.
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
_______________________________________________
SunRay-Users mailing list
[email protected]
http://www.filibeto.org/mailman/listinfo/sunray-users
