LISTSERV - HP3000-L Archives

HP3000-L Archives

May 2000, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 2000, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Simple(?) security question
From:	Gilles Schipper <[log in to unmask]>
Reply To:	Gilles Schipper <[log in to unmask]>
Date:	Fri, 5 May 2000 20:29:04 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

If the requirement can be that a user can edit files ONLY in his/her HOME
group, then it's a simple thing to accomplish.

And, it can be accomplished WITHOUT the use of group passwords. Group
passwords are a royal pain because they require regular modification for
them to remain useful.

To restrict a user from accessing any file other than one residing in
her/his home group, simply specify group access as follows:

altgroup group1;access=(r,l,x:any;w,a,s:gl)

This example permits all files in GROUP1 to be Read, Locked, or eXecuted by
any user (subject to account access restrictions) but Written, Appended, or
Saved by only GL users.

A GL user must satisfy 2 requirements:

1. must have GL capability, and
2. must be logged in to HOME group.

So, a user logged in to any group other than home group would not enjoy
access rights associated with a GL-capable user for the duration of that logon.

There are probably a zillion redundant group passwords in the HP3000 world
that could be eliminated with the judicious use of GL capability

At 04:31 PM 2000-05-05 -0400, Anthony Gionta wrote:
>Suppose you wanted to restrict file access such that a user may only edit
>files
>in one specific group and no others.  How would you configure this?
>
>Of course, you could secure groups that were not home to the user with
>passwords, but this would require some additional legwork as it pertains to
>apps and users that needed access to these passworded groups.
>
>Assigning access to GU would not ensure that these users attempt to access
>files outside of their own group.
>
>This seems like there sould be a simple solution, but short of employing 3rd
>party security, I cannot see how to do this?
>
>Can anyone suggest a simple solution without it requiring a lot of additional
>security admin?
>
>Regards,
>     Anthony Gionta

---------------------------------------------------------------------------
Gilles Schipper
GSA Inc.
HP3000 & HP9000 System Administration Specialists
300 John Street, Box 87651   Thornhill, ON Canada L3T 7R4
Voice: 905.889.3000     Fax: 905.889.3001
Internet:  [log in to unmask]
---------------------------------------------------------------------------

ATOM RSS1 RSS2

RAVEN.UTC.EDU