| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 3545.1 | see IAMOK::INSPECT_SRF 986 for additional information | GIDDAY::SETHI | Recompense injury with justice | Wed Nov 17 1993 23:42 | 13 |
| Hi Ron,
I have a topic that is under discussion in the IAMOK::INSPECT_SRF
conference note 986. I think that engineers from all groups will find
the discussion helpful I hope.
I haven't found problems with file protections but with account
deletions, *some system managlers* have run the lockdown procedure
without much thought.
Regards,
Sunil
|
| 3545.2 | Once bitten... | SUBURB::BROWNSTONE | Out to lunch | Wed Nov 17 1993 23:45 | 45 |
| Hi Ron,
Yes, I was silly enough to carry out part of this directive without
fully testing the results.
I can tell you that...
o Removing world access to the shared area documents is OK.
o Removing world access to the OA$DATA files mentioned and the SDAF's
is OK.
BUT
o Removing world access from the shared are directories results in
unprivilaged users being unable to to print shared documents,
although they can still be read.
I'm assuming that the WPSPLUS formatter, in it's wisdom, doesn't use
it's priv's correctly when accessing shared area documents.
At least W:E on the directory files is required for successful
printing.
Any more informed ideas on why this should be so ?
I haven't yet looked at removing group access to user files 'cos I've
not confirmed that there isn't still some pre V3.0 document sharing in
place.
As for the UIC of the ALL-IN-1 accounts. OK, ensure that they have a
unique UIC group. However, on my systems the ALLIN1 account UIC is
always lower than MAXSYSGROUP. It isn't appropriate to have the
transfer accounts share this UIC because this'd give rise to proxy
access to an account with implicit SYSPRIV, in contravention of
DECstandard 11.1 (INSPECT).
I've fed this back to the UK Field Security Manager. I'd recommend
caution until this lot gets straightened out.
Cheers
Chris
|
| 3545.3 | Secretaries will soon be calling | AIMTEC::ZANIEWSKI_D | Why would CSC specialists need training? | Thu Nov 18 1993 13:05 | 5 |
| If you have Time Management users that require set owner (SO)
access to other calendars, you may find have to attribute the
loss in functionality to "the corporate security cops".
Dave Zaniewski
|
| 3545.4 | Yes, we say "be very careful" with this! | IOSG::PYE | Graham - ALL-IN-1 Sorcerer's Apprentice | Fri Nov 19 1993 17:15 | 17 |
| We're just about to send an oficial response to this saying we don't
agree with a lot of it.
Re .Chris B. I found the printing failed very quickly, and I don't
think the formatter is at fault. If it used its privs to get the file,
it wouldn't matter what the directory protection was. I suspect that we
look the file up in the directory in some way before passing it to the
formatter. In any case, we recommend leaving W:E on the directories.
My general view on Group protections is that they're a pain, and
wherever possible, I remove them from the product. However, some sites
may have used them to set up some sort of controlled sharing schemes
based on workgroup members being in the same UIC group.
I'll post our full response here later.
Graham
|