z**u
发帖数: 3 | 1 WindowsNT的Security Model 可以为每个用户/组定义权限,比如文件a.txt可以被若干个
用户读,若干个Group写,有些人则完全Deny, 这些都记录在一个BLOB里面。
请问在UNIX里有类似的Security Model吗?简单的UNIX文件权限只有rwxrwxrwx,不够呀。
如果有,都是商业系统吗?应该有免费的吧? |
c*****t
发帖数: 1879 | 2
1. you can use a more restricted shell s.t. they could only do very limited
things.
2. you can allow the user to use services w/o asking them to log in.
3. a user can have multiple groups, allowing them to have greater
access rights.
【在 z**u 的大作中提到】
: WindowsNT的Security Model 可以为每个用户/组定义权限,比如文件a.txt可以被若干个
: 用户读,若干个Group写,有些人则完全Deny, 这些都记录在一个BLOB里面。
: 请问在UNIX里有类似的Security Model吗?简单的UNIX文件权限只有rwxrwxrwx,不够呀。
: 如果有,都是商业系统吗?应该有免费的吧?
|
z**u
发帖数: 3 | 3 多谢回应,那我继续问下去了。。。
1. This is restriction on users overall behaviors, not restriction on some
specific target(s). Sounds like an overkill.
2. Is the restriction built in the service(implemented with code)?
3. Say, user A and B belongs to group G. How do I specify that: every body in
group G can access foo.txt, except B? Do I have to define a new group = G-B?
如果问题太笨,请原谅。
干个
呀。
【在 c*****t 的大作中提到】
:
: 1. you can use a more restricted shell s.t. they could only do very limited
: things.
: 2. you can allow the user to use services w/o asking them to log in.
: 3. a user can have multiple groups, allowing them to have greater
: access rights.
|
a****y
发帖数: 1035 | 4 use ACL access control list.
man -k acl
It may be optional on some systems.
【在 z**u 的大作中提到】
: WindowsNT的Security Model 可以为每个用户/组定义权限,比如文件a.txt可以被若干个
: 用户读,若干个Group写,有些人则完全Deny, 这些都记录在一个BLOB里面。
: 请问在UNIX里有类似的Security Model吗?简单的UNIX文件权限只有rwxrwxrwx,不够呀。
: 如果有,都是商业系统吗?应该有免费的吧?
|
T********r
发帖数: 6210 | 5 FreeBSD 5 has ACL built-in. Linux has kernel patches from NSA (SELinux),
Solaris 9 has RBAC, and I think AIX/HP-UX have similar security models.
【在 z**u 的大作中提到】
: WindowsNT的Security Model 可以为每个用户/组定义权限,比如文件a.txt可以被若干个
: 用户读,若干个Group写,有些人则完全Deny, 这些都记录在一个BLOB里面。
: 请问在UNIX里有类似的Security Model吗?简单的UNIX文件权限只有rwxrwxrwx,不够呀。
: 如果有,都是商业系统吗?应该有免费的吧?
|
c******y
发帖数: 37 | 6 Unix有很多种,不过大部分都会有这种功能的了,
叫做Access Control List (ACL),这个东西一般
都存储在文件系统里面:
For,
1) Solaris: setfacl/getfacl
2) AIX: acledit
3) HP-UX: swacl
4) Linux: setfacl/getfacl
i.e. on solaris:
to set a file f.txt to
a) be readable/writable/excutable by the file owner
and the file group owner
b) be readable/writeable by the user buddy
c) be readable by the group manager
d) be unaccessible by all others
# setfacl -s user::rwx user:buddy:rw- group::rwx \
group:manager:r-- others::--- /dir/to/ |
c******y
发帖数: 37 | 7
Under Linux, ext3/jfs/xfs support ACL with
extended attributes without any patches.
RBAC is not used for this. Consult getfacl/setfacl
manpages.
【在 T********r 的大作中提到】
: FreeBSD 5 has ACL built-in. Linux has kernel patches from NSA (SELinux),
: Solaris 9 has RBAC, and I think AIX/HP-UX have similar security models.
|
T********r
发帖数: 6210 | 8
I knew RBAC is not for this purpose. ;-) Haven't used Solaris for
a long time, and do not want to check Solaris doc just for this Q.
Just wanted to show that *nix have everything you want, e.g., ACL,
RBAC, MAC...
【在 c******y 的大作中提到】
:
: Under Linux, ext3/jfs/xfs support ACL with
: extended attributes without any patches.
: RBAC is not used for this. Consult getfacl/setfacl
: manpages.
|
D****g
发帖数: 2860 | 9 google "access control list", which is implented in trusted bsd, included
in freebsd 5.x
【在 z**u 的大作中提到】
: 多谢回应,那我继续问下去了。。。
: 1. This is restriction on users overall behaviors, not restriction on some
: specific target(s). Sounds like an overkill.
: 2. Is the restriction built in the service(implemented with code)?
: 3. Say, user A and B belongs to group G. How do I specify that: every body in
: group G can access foo.txt, except B? Do I have to define a new group = G-B?
: 如果问题太笨,请原谅。
:
: 干个
: 呀。
|
