Effectively Manage User and Group Accounts
If hackers breach your NT-UNIX system through a user's account, how you manage permissions and ownership determines the amount of damage that hackers can inflict. Systems with loosely configured rights are prime targets for devastation. If hackers breach NT's Administrator account or UNIX's root superuser account, they can do irreparable damage.
NT and UNIX OSs embrace the same basic principles of permissions and ownership. In both OSs, files can have no permissions or a mixture of read, write, and execute permissions. (NT also has delete, list, change permission, and take ownership options.) In both OSs, ownership is based on the rights of who can administer an object and provide individual user and group privileges. The OSs don't tie ownership with membership unless you instruct them to. In other words, just because a user is a member of a group that has access to an object, you cannot infer that the user has ownership of that object.
Most security problems arise from improperly managing user and group accounts. To let coworkers access information, users typically give them write permissions to their $HOME directory. This permission setting provides an open invitation for anyone to view, change, and copy data.
You can create a more secure system by setting up group rights. You can create NT local and global groups by selecting New Local (or Global) Group in User Manager for Domains. In UNIX, you use the /etc/group file to add system groups and, in turn, give users the ability to add members to those groups and assign file permission levels. Users can assign privileges to a group at the appropriate read, write, and execute levels.
For a highly secure UNIX environment, you can use umask, a UNIX utility that lets you establish default file permissions within a global or user-specific /etc/profile or .profile script. You can also set similar default settings through NT's Permissions dialog box in the Properties file. You can initially protect the users' $HOME directory until they take deliberate action to share files with a designated group. You must encourage users to minimize coworkers' access to their files.
When users share file systems and resources, you must take special measures. As a general rule, you need to maintain the default file system rights that NT and UNIX set on the root, or system, directories. If needed, you can then control permissions to devices on the user and group levels. NT permits excellent gradation of resource permissions.
Internet FAQ top