RE: string vs. numeric uid/gid

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

From: Mike Eisler (mre@eng.sun.com)
Date: 06/30/99-08:14:40 PM Z

Next message: Brian Pawlowski: "Re: uid string"
Previous message: Brent Callaghan: "Agenda for nfsv4 WG meeting in Oslo"
In reply to: Noveck, Dave: "RE: string vs. numeric uid/gid"

Date: Wed, 30 Jun 1999 18:14:40 -0700 (PDT)
From: Mike Eisler <mre@eng.sun.com>
Subject: RE: string vs. numeric uid/gid
Message-ID: <Roam.SIMC.2.0.6.930791680.10439.mre@eng.sun.com>

> > 
> > If there is an example of an operating system that attempts to collect
> > multiple users into an ACL without enumerating them (aside from group
> > ids),
> > then we should consider it.

Dave writes;

> DCE ACL's have this:
> 
> sec_acl_e_type_foreign_other
>      The entry contains a key that identifies a foreign realm.  Any user
>      that can authenticate to the foreign realm will be allowed access.
> 
> and also:
> 
> sec_acl_e_type_any_other
>      The entry contains permissions to be applied to any accessor who 
>      who can authenticate to any realm, but is not identified by any 
>      other entry (except sec_acl_e_type_unauthenticated).

The above seem very specific to the underlying security mechanism (the DCE
security service) ... maybe my security flavor doesn't grok realms. 

> 
> sec_acl_e_type_unauthenticated
>      The entry contains permissions to be applied when the accessor does
>      not pass authentication procedures.

Seems like overkill. Many NFS server map unathenticated users to
to a well know user, such as "nobody". If one wants unauthenicated 'nobody"
to have permissions then stick it the the ACL. Or configure
the NF Sserver to not let nobody on.

DCE is clearly very rich in features, but challenging to understand. Such
features rarely get used.

Carl writes:
> 
> Under NT there are the following special SIDs which can be placed in
> ACLs:
> 
> INTERACTIVE - Users directly logged into the OS
> NETWORK - Users accessing the file from the network
> SYSTEM - The operating system itself

This is simple to understand, and implement. The nice thing about it is that
assuming we buy the "name@domain" idea for uid and gid representation, we
don't have to parse the fields of the id string to see if it belongs in any
special ACLs.  

	-mre

Next message: Brian Pawlowski: "Re: uid string"
Previous message: Brent Callaghan: "Agenda for nfsv4 WG meeting in Oslo"
In reply to: Noveck, Dave: "RE: string vs. numeric uid/gid"

New Message	Reply	About this list	Date view	Thread view	Subject view	Author view	Attachment view

This archive was generated by hypermail 2.1.2 : 03/04/05-01:47:17 AM Z CST