RE: [U2] Unix Security

Brutzman, Bill Thu, 16 Feb 2006 07:12:21 -0800

AD:

Thanks for writing.  I will use this...

Regards,

--Bill

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Anthony Dzikiewicz
Sent: Wednesday, February 15, 2006 7:47 PM
To: [email protected]
Subject: RE: [U2] Unix Security

It looks good as long as your users are all part of the users group. You
probably want to look at the umask options for users as part of the login
paragraph. If a user changes a record and the files becomes theirs, then
this is bad.  I had something like this happen and I had to fix it by
setting the umask in the login paragraph.  I believe this was for type 1
files not static and dynamic.

Im not a security expert, but I dont think there are any implications for
print applications.  I would think that as long as a user can read the file,
then they could generate a report from it.  What would be more important is
if the user has rights to the spool directory and it doesnt sound like
you're changing that, but you are changing the users group.  Are you adding
users to additional group users or are you changing the users group from
test to users.  Can the users group write to the spool directory ?  Im not
sure if this matters.

When I look at this I ask myself what does this really gain you and is it
worth doing the work (although I dont know how many files you're dealing
with).  Do you have 'others' on the computer ?  Plans for 'others' ?  Are
the users all in the test group already and you have to change the group and
then add all users to that group ?  If you had to do a lot of work and there
are no 'others' on the system, then the worst you could do is maybe screw
something up and stop something that once worked from working.  Thats my
thinking - if it ant broke dont fix it and keep it simple.  If you can try
all of this out on a test system.

Ive always read that when securing a system you should make it as tight as
possible and then punch holes here and there only as needed.  I find that
myself I work backwards.  I make everything 'open' so that everything
'works' and then I go back and tighten up things.  I think this backward
approach is more difficult.  I am fortunate enough to not have a big
security problem.  Our server only runs Universe and everyone on it has
access to every file and there are no special considerations. So, I can get
away with this 'policy', but I know it isnt the best practice.

Anthony

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brutzman, Bill
Sent: Wednesday, February 15, 2006 6:46 PM
To: '[email protected]'
Subject: [U2] Unix Security

In the name of enhacing security, I want to change UniVerse file rights...  

    from   -rwxrwxrwx   root   test    UV.DATA.FILE 
    to     -rwxrwx---   root   users   UV.DATA.FILE 

Will end-users be able to do their transactions?
Will the print applications work?
Are there any special considerations for UV?

Suggestions would be appreciated.

--Bill
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/

-- 
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.9/261 - Release Date: 2/15/2006

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.9/261 - Release Date: 2/15/2006
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/

RE: [U2] Unix Security

Reply via email to