[Fwd: Re: [luau] Group Policies for Linux]

MonMotha monmotha at indy.rr.com
Sat Apr 12 10:00:01 PDT 2003


I didn't notice we changed the reply-to header and replied only to virgil directly.

Forwarding to the list.

--MonMotha


-------- Original Message --------
Subject: Re: [luau] Group Policies for Linux
Date: Sat, 12 Apr 2003 14:34:19 -0500
From: MonMotha <monmotha at indy.rr.com>
To: Virgil <virgil at hawaii.rr.com>
References: <BABD7E79.E8BC%virgil at hawaii.rr.com>

Virgil wrote:
> Hi all,
> 
> Sorry I'm new to this and it might sound like a crazy question.
> 
> Does Linux has anything to do with Group Policies (GPO)? If not is there
> anything similar on Linux that uses or has GPOs? Is this a core technology
> of Active Directory in Win2000 only?
> 
> Thanks,
> Virgil
> 

Linux/UNIX's policy system can't really be compared directly to Win2k/Novell
(which are both similar).

Win2k/Novell uses a trustee model, where one or more users are directly
specified as trustee's of an object.  Users can also be members of groups.
Arbitrary numbers of users and groups can be specified, each with different
permissions.  This has the advantage of being very flexible, but it does consume
a large amount of metadata and can be a headache for sysadmins trying to figure
out which permissions will be given to a particular user/group as permissions
can also be inherited, or granted from multiple group memberships.

Linux/UNIX use a model where each object (file, device node, fifo, etc) has a
single "owner" uid, a single gid, and then permissions for everyone else not
specified already.  There are three permission bits (WinNT has at least 6,
Novell NDS much more): read, write, and execute (for the record, there are some
other more exotic ones, such as the setuid bit, setgid bit, and the sticky
bit...other than on directories, these have little effect on access, only how
things are executed).  Each of these three bits can be assigned to the
user/owner, group, and others.  This is actually a lot more flexible than it
sounds, though it can require a fair amount of management of group members (man
groupadd, man groupdel, and also see /etc/group).  On the plus side, permissions
are not inherited (with such a simple system it makes no sense to do so), making
it a bit easier for admins to see who has what "rights" (to use an NDS/WinNT term).

Hope this helps.

--MonMotha





More information about the LUAU mailing list