[CLUE-Tech] Sys Admin security and user directory security
Dave Anselmi
anselmi at americanisp.net
Tue Dec 18 20:16:16 MST 2001
Kevin Cullis wrote:
> OK folks,
>
> I've got a question that I have not been able to answer: How can you
> provide system security and directory security at the same time with
> different people? For example, I'd like to let the sysadmin handle all
> of the upgrades, updates, etc for the computer security but NOT allow
> the sysadmin to view the financials in /home/kevin directory. I'm
> assuming this is possible, but how does one go about it?
>
> Kevin
As pointed out, ACLs are the way to handle this. NT has enough that the
admin can't look at user files without the users knowing. Some *nixen have
this too. It may be available for Linux. (Isn't there something called
capabilities - from BSD, I think - that might provide this as well?)
Anyway, for ACLs to work there need to be two people involved - the
sysadmin and the security officer. The security officer doesn't have
access to the machines in question, only the sysadmin can administer them.
But the sysadmins actions are logged and audited by the security officer
(and obviously the sysadmin can't have access to the audit logs).
As pointed out, systems like this exist, and their use may or may not be
warranted.
Dave
More information about the clue-tech
mailing list