[Fwd: Re: [WinMac] unix/ nt security diffs?]

Chris Hoogendyk(choogendyk[at]aol.com)
Wed, 19 May 1999 11:34:22 -0500

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Daniel L. Schwartz: "Re: [WinMac] GPF Booting NT?"
Previous message: PetersJB@nswccd.navy.mil: "RE: [WinMac] Clarification of RE: JetDirect names change: Mac pri nting"

> > >I am looking for a web page or something detailing differences
> > >between the unix security model and NT's.

perhaps not exactly what you are looking for but here's a site everyone
should know:

<http://www.cerias.purdue.edu/>

that's just a starting point. lots of links from there.

> > Are you looking for user access or security?
>
> User access.

<snip>

> Fairly familiar with Uni*, but is seems like nt's model (from reading) has
> all the security based on directories... ie you can list, write to, modify
> members, or read members, etc, instead of Uni* where you have rwx on the
> directory and every file.
>
> The concept of groups seems slightly more signifigant in nt than in unix,
> and nt's whole file permission model, from what I am reading in the
> O'Riley annoyances book, seems sort of silly and a lot less flexible.
>
> The only things I have ever gone in depth on with nt though are SFM and
> printing, so I wanted to get some first hand feed back before I go into a
> testing situation around the first of June.

<snip>

> Basicly am interested in basic permissions model- is what I have stated
> above correct?

With NT, you want to make sure you have formatted the drive using NTFS.
Once you've done that you have full file level access control. It is
based on Access Control Lists. Entries in the list contain a SID and a
list of permissions. There can be entries for users and for groups. SIDs
uniquely identify the users and the groups.

Permissions are:
  RWX and
  D for Delete
  P for Change Permissions
  O for Take Ownership
  N for No Access

The Administrator might not be given permissions, but can take ownership
and then do whatever. The fact that she took ownership flags the
intrusion. Ownership cannot be given, it can only be taken. The
Administrator can give a user permission to take ownership back.

Root in Unix has more power with impunity.

NT has a bunch of built in special groups.

NTFS is supposed to be POSIX complient.

One hassle for an administrator is in a sense the GUI. I don't know of
any way to list the files in a directory with their permissions. You
have to right click on the file, select properties, click on the tab for
security, click on the button for permissions, click add or remove,
click more buttons, click ok or cancel out through several levels. . . I
mean, man, I gotta do that for every one? groan.

The inherent programmability of the Unix shell together with the listing
of permissions when you do an "ls -l" makes it far easier to manage. Of
course, the newer releases also have ACLs, and you would see something
like "rwxr-x---+" where the "+" indicates that there are additional
permissions assigned using ACLs. I haven't done anything with those
other than to just see that they are there in Digital Unix 4.0D.

Of course Unix also has it's unique things in the SetUID, SetGID and
Sticky Bits.

I think NT has reached a level of underlying complexity combined with
superficial simplicity that makes it difficult to manage expertly and
efficiently. Unix is harder to get into initially; but, when you have
learned it, you know what you are dealing with and can manage it. NT has
layers of hidden stuff that it does automatically to make life easier
for you, and cleaning them up can be a real pain. You think you know
what is going on, but NT has even more hidden layers lying in wait for you.

We had an example where our public NT workstations had finally been set
up the way we wanted, accessing a Novell server. We had re-arranged the
Contexts in Novell. An account ("ref") at the root level that shouldn't
have been there in the first place was replaced with another account
("ref" in an interior context) and we had everything running. Then we
went back to clean up by deleting the ref account in Novell at the root
level (nobody using it anymore, right?), and every public NT workstation
got an alert that that account had been deleted. huh? We searched the
registries and found a reference to that account and deleted it. But in
the mean time, we had a background login that we didn't want that was
being done invisibly and automatically. Now, granted, that may have been
an error on our part. But, when you have multiple people working on a
network, you don't always know everything they have done in precise detail.

I went to a presentation on Windows2000, and it is becoming even more
complex while becoming even simpler (they love that little paper clip
guy). I think it is a misleading combination.

I'll stop rambling.

---------------

Chris Hoogendyk

Network Specialist, Library Systems Office
W.E.B. Du Bois Library
University of Massachusetts, Amherst

<choogend@library.umass.edu>

---------------

* Windows-MacOS Cooperation List *

Next message: Daniel L. Schwartz: "Re: [WinMac] GPF Booting NT?"
Previous message: PetersJB@nswccd.navy.mil: "RE: [WinMac] Clarification of RE: JetDirect names change: Mac pri nting"

This archive was generated by hypermail 2.0b2 on Wed May 19 1999 - 09:39:15 PDT