View Single Post
  #4   (View Single Post)  
Old 8th October 2009
TerryP's Avatar
TerryP TerryP is offline
Arp Constable
Join Date: May 2008
Location: USofA
Posts: 1,547

Sounds close enough, but on g) I would have to say that the kernel is the almighty governor of resource limits, with the hardware being the HBIC.

Traditional UNIX file permissions are basically a limited no frills implementation of Access Control Lists, still works ok today but modern ACLs are better in more complex situations. A unix permission mask is basically an ACL restricted to 3 entries: owning user, owning group, and everyone else; with 3 permissions available for each entry: read, write, and exec. (Contrast to some of the TOPS family). The name means nothing, its just an identifier: the system deals with numbers (*UIDs and *GIDs), so you can basically name users & groups whatever your OS allows. (For example, BSD allows me to use 'Terry' instead of GNU/Linux distros forced 'terry'; but its the numbers that count on access control)

Setting the login class can limit the harm the user or program can cause, so for example the login class _mysql that I created, it gives the invocator less stingent resource limits then the typical daemon class - yet it still has limits on how much it can consume.

su -c loginclass username -c 'commands here'
can run a 'commands here' under username, with the specified login class instead of the users normal one - so for example, a program can be run as demigod for the file perms but a different login class used to control resource limits.

The system provides a few things like operator that are useful, but utilizing the permissions and login systems, you can create arbitrary concoctions of your own, as they are needed. A worthless example might be allowing junior developers to edit and build source files in a shared project directory, but only allowing senior developers to commit code to the local version control system.

edit: you might also want to look at a program called chflags, in the system manual
My Journal

Thou shalt check the array bounds of all strings (indeed, all arrays), for surely where thou typest ``foo'' someone someday shall type ``supercalifragilisticexpialidocious''.
Reply With Quote