One of the reasons why i asked if you could flesh things out some is that your original statement was too simplistic, as you yourself implicitly state in your message below. It'd be great if people with computer technical skills would not follow the ways of corporate/capitalist psyop warriors when it comes to discussing computers and operating systems. We should do everything we can to make the lives of workers who have to deal with these systems as simple and safe as possible. Thats hard to do but harder to do if they are constantly fed with inappropriate slogans like "NT is more secure than Linux".
> On Linux, if you have a file, it has "permissions", of which there
> are three classes per file: user, group, and everyone. You can say
> that a file belongs to "johnk", and to the group "web", and has read
> and write permissions for johnk and web, but only read permissions
> for the world. (This allows me and my group to work on it, but
> everyone can only look at it.) A file cannot belong to two groups;
why is that important (vis a vis security)?
> you cannot make write permissions available to a single user outside
> of the group.
if you say 'cannot as easily make' .... you'd carry more authority in my mind.
for example, i can create a new group 'web' as superuser and admit one single user 'karlm' into taht group. in that way i could pretend that a file owned by someone else (say 'frede') could also give write permissions to the new group 'web' so defined, and voila the single added person 'karlm' has read/write permissions, or whatever.
> On NT, you have this fine level of control. (It's called access
> control lists.)
( note bene: ACL == access control lists)
ACL has been a topic in the linux kernel mailing list for at least a year. here is a site for linux ACL developers, go learn and/or pitch in to your hearts content:
http://acl.bestbits.at/acl-devel/
> Also, on Linux, you have a login that allows you onto your machine.
> If you need access to several machines, you create a "domain", and
> add machines to it, and you can get access to all those machines.
i have no idea what you are talking about here. in any unix system, you network computers together and control external access via files in /etc ... for example, hosts.* controls access by host, login.* controls access to login functions by user and host. etc.
> When a machine defers to the domain's authority, it loses its
> ability to have its own lists of users.
???????
when i log on remotely to a machine, if i can get authenticated, i am just another user on the system.
> On NT, you also have domains, but participating in a domain doesn't
> deprive the machine of its own list of users. Also, NT has a lot of
> features to help you establish "trust" relationships between
> domains, so they may "share" users. NT also has security features
> that let you group access to the system by groups, while Linuxs'
> isn't so fine-grained.
okay. so EXPLAIN how these features make WinXX more SECURE than linux. and also explain it to people in the context of things they hear about: the visual basic virus, all the Outlook and attachment nonsense, etc.
otherwise, you are too coarse-grained in your coverage and risk being labeled as a spreader of FUD (fear, uncertainty, and doubt).
> The irony is, Linux often end up more secure than NT.
i was waiting for you to say this....
> Basically, most people don't like security, and turn it off.
i had to switch a workstation cluster to NT from WIN98 last year because the solid modeling programs "prefered" NT (according to the software mfgers).
every time i am in there working on systems people say to me, "why do we gotta log in? i don't like to. it was much simpler in WIN98."
but security issues for WinXX clusters used by ordinary non-tech people have much more important security problems before you get to the level you are discussing with ACL's, domains, fine-graininess, and all that.
as you well know....
les schaffer