Subject: Re: Unique IDs across realms under UNIX (was Re: BSD Auth)
To: Greywolf <greywolf@starwolf.com>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: current-users
Date: 09/25/2003 02:37:39
On Dec 14,  7:42am, Greywolf wrote:
} Thus spake Greg A. Woods ("GAW> ") sometime Today...
} 
} GAW> > The issue is that in afs (and probably nfs4), you don't want to key you
} GAW> > rights of our uid.
} GAW>
} GAW> Pray tell why would you ignore the fundamental benefits of the Unix
} GAW> security model?
} 
} Greg, at this point, I think it would be safest to realise that the UNIX
} security model as we have known it is in for a rather intense mutation,

     I think this is a bit of an overstatement.  The current UNIX
security model works fine for probably 80%+ of users.  However, it does
lack some things needed at the high end, and so will be enhanced.  I
don't think you will see wholesale changes though.

} Realms are going to come more into play, I feel.  [No, I don't have evidence,
} but it makes sense judging by what authoritarian admin types seem to want.]

     "authoritarian admin types" don't want anything.  All this stuff
just means more work for them, and most of them are already
overworked.  They do this stuff because it is what they need to do to
meet corporate security policies.  "authoritarian admin types" are
simply worker bees that implement policy and make sure the systems
continue to run smoothly.

} ...not to mention you have to disable cut-and-paste between windows
} authenticated to two different users in two different -- and not mutually
} trusting -- realms.

     This can and probably has been done in "trusted" versions of UNIX
(i.e. Trusted Solaris, TrustedBSD {based on FreeBSD}) where
compartmentalisation is enforced.

}-- End of excerpt from Greywolf