On 07/08/2014 09:09 AM, Anton Aylward pecked at the keyboard and wrote:
On 07/07/2014 04:00 PM, Dirk Gently wrote:
A lot of organizations using Linux or Unix would come to a screeching halt if the default permissions for home directories were drwx------.
Please explain why. Please explain what business decisions lead to and justify that and why they exclude other approaches.
I ask this because I have run both development and operational sites where the user's individual home directories were so protected.
If your justification is the need to share, then there are other, cleaner, better managed ways to do it, such as setting up project directories or using web based interfaces.
The usual objection to those lie with access control, but that is just indicative of people who either don't understand set theory/group theory or don't have 'idiot stick' admin tools that let them set up and manage groups. (This is where LDAP based administration can come in very useful.)
Of course many system implement some kind of RBAC (even if only in overlay).
It is a matter of how seriously your organization takes security. There is increasing pressure in this area.
While one can do wonderful things with the 1970s era UNIX groups and the basic 'ugo'/'rwx' it is still limited for the modern world with thousands of users and hundreds of 'domains'. At least RBAC drags Linux 'kicking and screaming' into the 1990s (which is when RBAC was first developed).
Go google and find things like
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm...
http://cs.wellesley.edu/~cs342/fall10/papers/asolomon-thesis.pdf
As I say, it boils down to how seriously your organization takes security.
The company I worked for was in the medical field and took security very serious due to HIPPA regulations. As such all user accounts had their home folders set to "drwx------" to keep prying eyes away from documents containing medical/billing history from accounts they were not working on (medical billing). People were usually assigned to specific accounts (Doctor office) and not allowed to work on different accounts. -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org