On Thu, 2006-08-31 at 17:52 -0400, Bob Doolittle wrote: > Our org is spread out globally, and there is some > variance in policy by geos. The default home > directory permission does not allow others to see > into it (mod 0700), but I open mine up to help > with sharing, and only close down perms on stuff > that specifically needs to be kept more secure. I > think we're moving towards a model where you can > only access home directory servers where your home > resides.
which is fine within one organisation or entity/department, but not in larger scale or with more ISP approach my problem (or task ;-)) is to keep separate users from different groups/departments/project. on top of that is the paranoid suspicion about anyone else, so the security view. This all I could do partly with zones/containers, but if the users change or move... it is problem. therefore would be better to simply have directory/files which which are shared and restrict everything else. So it would be easier to manage the users as well as the groups/departments or project in ldap/directory server. another problem is to keep internal/confidential stuff from private junk of the users, so when they can use the desktop at home, they don't mix up or deliberately use is. and so on... or any another idea? > > Bob, do you know about the Trusted Extensions for Solaris10 and JDS? > > > > We don't support it yet, and won't support it > instantly once it's released. I'm not allowed to comment on > future plans, but you could get more info > regarding our plans in this area if you signed a > CDA with you local Sun sales rep. > I know that many things are not supported and wouldn't be anytime soon, (eg in this situation ray in containers), but... I've got some NDA and last time we discussed trusted solaris they mentioned I think spring/early summer 06, but they didn't know and btw these guys are frankly quite often useless. > I'll let somebody more familiar with it comment on > the notion of using S10 Trusted Extensions for a general > use application. Mike? Would you recommend this approach? > > > Is any way to create 'virtual' users for SGD/Ray who would be able to > > use the JDS and required applications and keep them in their home > > directories (a bit alike some ftp servers)? > > > > I'm not familiar with SGD, sorry. I know that Sun is working on 'joint' version of SGD/Ray so it would be one product. Again didn't get time when it would be available, but generally this would quite help to manage and integrate all that. many thanks, -philip > > On Thu, 2006-08-31 at 15:47 -0400, Bob Doolittle wrote: > > > >>>>> I'm looking for a way how to keep users in their home directories - so > >>>>> that SGD/Ray users can't go and see other users and the root file > >>>>> system, simply not leave their /home/~ directory > >>>>> I've been playing around with few options (eg SUDO,containers or jail), > >>>>> but that isn't the right answer. > >>>>> > >> Please be cautious about bringing a PC bias to this problem. > >> > >> Unix and Solaris in particular were designed from inception to be > >> multi-user safe and friendly. The whole suite of access perms, > >> ACLs, etc are designed to protect users from each other. > >> The problem with chroot is that it effectively eliminates the > >> ability to run system tools, which is not really appropriate for > >> end-users. You may be able work around this but it's kludgey. > >> Zones are more suitable, but as you point out heavy-weight for > >> a large user community. Unless you need users to have privileged > >> roles within zones this is probably unnecessary. > >> > >> In recent times there has been a migration of users to single-user > >> environments, and we tend to forget that multi-user environments > >> are alive and well. > >> > >> So in summary my only caution is to not over-constrain your solution. > >> There are clearly needs to sometimes provide extra protection between > >> user domains. I see this primarily between Corporate entities sharing > >> a single server, such as an ASP sort of environment, where the partitioning > >> is between Corporate user communities, not individual users. Zones > >> scales better at this level of granularity. > >> > >> My 2c. > >> > >> -Bob _______________________________________________ SGD-Users mailing list [email protected] http://www.filibeto.org/mailman/listinfo/sgd-users
