| Author |
Message |
brinxmat
Joined: Oct 24, 2005
Posts: 262
Location: Norway
|
 Posted: Sun Feb 12, 2006 1:15 pm Post subject:
|
  |
|
| Kassen wrote: | Well, if you insist you may disagree, but I think we are saying the same thing. I'm in favour of multiple account systems, I actually have a guest account on this box. What i was hinting at was that while "root" seems to imply a certain role and a certain expertise, it's often the same physical person, just under a different name.
Just read it back, it was realy just a very small side note and in complete agreement with your take. |
Yes, I agree. I mis-read what you were saying. Sorry about that.
I hope that your guest account allows external logins via rsh and has the usual username: guest/password: guest combination. 
This is the point of Apple's rootlessness: the single-user machine also has a conceptual root, but root commands are always delegated to a sudoer Admin. (You can add root back in to OS X if you want. In the same way as you can restore the passwordless login to XP via the registry.)
I will disagree anway because I am a dick. There, I said it.
_________________
-- Say "&Eth;onne hit wæs hrenig weðer" |
|
|
Back to top
|
|
 |
blue hell
Site Admin
Joined: Apr 03, 2004
Posts: 24506
Location: The Netherlands, Enschede
Audio files: 298
G2 patch files: 320
|
| Posted: Sun Feb 12, 2006 1:29 pm Post subject:
|
|
|
| brinxmat wrote: |
This was my point about NTFS — it doesn't get used. I reckon this might be because Admins still don't get the usefulness of a secure approach, combined with its lack of user friendlyness. |
Surely I see the usefullness, but I don't understand a thing about windows right management, the helpfiles learn me nothing, and when I try to just do it I get trouble with users not being able to do what they are supposed to do (they are not even allowed to change user settings in software, well they are, but it wont save to ini files; or thay cant use a COM port, stuff like that). I tried to read some wondows server managment books, useles, waste of time.
And yes the documents end up password protected, that;s easy making some groups and users and juggling a bit, but most users end up having admin priviliges on their local PC because otherwise I seem to have to change all program's individual rights.
So, for instance, when someone brings one of those nice Sony DRM-ed CD's to play it at work I'm in deep trouble.
_________________
Jan
also .. could someone please turn down the thermostat a bit.
 |
|
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005
Posts: 262
Location: Norway
|
| Posted: Sun Feb 12, 2006 2:30 pm Post subject:
|
|
|
Blue Hell:
I am in 100% agreement with you regarding the brilliance of technical documentation (I write documentation for a living); so much of it is hopeless tripe.
What I should have said was that Admins tend to rely on their firewall and perimeter defences. This is often not a problem until some user connects a laptop to an insecure network, or inserts a disk with autorun.
From the point of view of a documentationalist, I can guarantee that a good product has good documentation for two reasons: 1, part of a good product is its documentation: its documentation is a part of what makes it good; and 2, a good product is easy to write good documentation for. Windows fails on several of these counts.
Maybe privs. management should be easier! Check out identity management software. And, no, I don't work for them (though they are very nice chappies/chappettes!)
_________________
-- Say "&Eth;onne hit wæs hrenig weðer" |
|
|
Back to top
|
|
|
blue hell
Site Admin
Joined: Apr 03, 2004
Posts: 24506
Location: The Netherlands, Enschede
Audio files: 298
G2 patch files: 320
|
| Posted: Sun Feb 12, 2006 2:51 pm Post subject:
|
|
|
Was just ranting a bit I guess; don't think identity management (tm) would help me, I'm beyond hope here :-)
_________________
Jan
also .. could someone please turn down the thermostat a bit.
|
|
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004
Posts: 7678
Location: The Hague, NL
G2 patch files: 3
|
| Posted: Sun Feb 12, 2006 3:11 pm Post subject:
|
|
|
| brinxmat wrote: |
I hope that your guest account allows external logins via rsh and has the usual username: guest/password: guest combination.
|
The firewall the machine is behind most certainly doesn't, that one actually only accepts connections from certain ip adresses for remote admining after a rather -erm- interesting ftp incident coming from a rather remarkable IP range. I manually made that combination like that because I don't mind my friends using this pc for some internet or whatever but I do mind them reading my email.
| Quote: |
This is the point of Apple's rootlessness: the single-user machine also has a conceptual root, but root commands are always delegated to a sudoer Admin. (You can add root back in to OS X if you want. In the same way as you can restore the passwordless login to XP via the registry.)
|
Makes some sense but that would make big administrative tasks a chore. My box doesn't allow you to log on as root for the whole session but I can have a command prompt with root privilidges if I want to. The default way of doing it is entering a normal comand window, going "su" when you need to, then going "exit" once that need is gone. Makes sense to me.
_________________
Kassen |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Sun Feb 12, 2006 3:32 pm Post subject:
|
|
|
| Blue Hell wrote: | | And yes the documents end up password protected, that;s easy making some groups and users and juggling a bit, but most users end up having admin priviliges on their local PC because otherwise I seem to have to change all program's individual rights. |
Well, that might seem the easiest way out on Windows, but in general this is a truly bad policy for any workstation. A user shouldn´t do their work logged in as an admin. Hey, I am no even logged in as admin on my workstation at home.
As for going sudo when installing various stuff, OS X has a slightly different architecture which means a lot of smart stuff often should go into Library/ instead of user/Library. This makes perfect sense, but I am not too happy about stupid installers that won´t let ME choose if a set of components and library files should be global or user specific or whatever. For some reason they hire morons for writing the installer apps. It is of course quite possible to dismantle OS X pkg and mpkg installers in order to get it right.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
Kassen
Janitor
Joined: Jul 06, 2004
Posts: 7678
Location: The Hague, NL
G2 patch files: 3
|
| Posted: Sun Feb 12, 2006 3:39 pm Post subject:
|
|
|
| elektro80 wrote: | | It is of course quite possible to dismantle OS X pkg and mpkg installers in order to get it right. |
I'm sure it is, but that that stage you are only a step away from sugesting that it's preferable to compile it all yourself which sorta kinda defeats the whole point of getting a Mac.
_________________
Kassen |
|
|
Back to top
|
|
|
seraph
Editor
Joined: Jun 21, 2003
Posts: 12398
Location: Firenze, Italy
Audio files: 33
G2 patch files: 2
|
| Posted: Sun Feb 12, 2006 3:39 pm Post subject:
|
|
|
| elektro80 wrote: | | Hey, I am no even logged in as admin on my workstation at home. |
 may I ask you why 
_________________
homepage - blog - forum - youtube
| Quote: | | Don't die with your music still in you - Wayne Dyer |
|
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Sun Feb 12, 2006 3:51 pm Post subject:
|
|
|
| seraph wrote: | | elektro80 wrote: | | Hey, I am no even logged in as admin on my workstation at home. |
may I ask you why |
It violates one of my security policies, that is why.
I know. I am an old humourless paranoid fart.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
seraph
Editor
Joined: Jun 21, 2003
Posts: 12398
Location: Firenze, Italy
Audio files: 33
G2 patch files: 2
|
| Posted: Sun Feb 12, 2006 3:54 pm Post subject:
|
|
|
| elektro80 wrote: |
It violates one of my security policies |
scary, to say the least I don't even dare to ask what are your other security policies but I may guess: you wear gloves and a mask to operate your workstation. Am I on the right track
_________________
homepage - blog - forum - youtube
| Quote: | | Don't die with your music still in you - Wayne Dyer |
|
|
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005
Posts: 262
Location: Norway
|
| Posted: Sun Feb 12, 2006 4:07 pm Post subject:
|
|
|
| kassen wrote: | | I'm sure it is, but that that stage you are only a step away from sugesting that it's preferable to compile it all yourself which sorta kinda defeats the whole point of getting a Mac. |
Really? I like compiling things. X is *NIX. It's the only useable graphical *NIX too. Compiling and dibbling is what the *NIX is there for.
| elektro80 wrote: | | As for going sudo when installing various stuff, OS X has a slightly different architecture which means a lot of smart stuff often should go into Library/ instead of user/Library. |
But it is a "qualified" Admin that should be installing into Library/, no? Your average user should be warned off anything outside ~. Take a look at the docs for StringTools.
| elektro80 wrote: | | I am an old humourless paranoid fart. |
Aww. That's not true, you're not that old. 
Kassen: Fixed IPs are a good defence, at least to a degree. I have a nice firewall for myself: it's a lead I pull out of the wall when I'm done mailing! 100% secure (as long as it's out of the wall).
The "conceptual root" is (I think) only present on OS X client, the server is different — and poo.
| Quote: | | (I write documentation for a living); so much of it is hopeless tripe. |
That makes me sound really intelligent. døh!
Sorry, I opened a can of worms here!
_________________
-- Say "&Eth;onne hit wæs hrenig weðer" |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Sun Feb 12, 2006 4:12 pm Post subject:
|
|
|
| seraph wrote: | | elektro80 wrote: |
It violates one of my security policies |
scary, to say the least I don't even dare to ask what are your other security policies but I may guess: you wear gloves and a mask to operate your workstation. Am I on the right track |
Not really.. but the thought is nice.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Sun Feb 12, 2006 4:16 pm Post subject:
|
|
|
| brinxmat wrote: |
| elektro80 wrote: | | As for going sudo when installing various stuff, OS X has a slightly different architecture which means a lot of smart stuff often should go into Library/ instead of user/Library. |
But it is a "qualified" Admin that should be installing into Library/, no? Your average user should be warned off anything outside |
Right. The average user wouldn´t be able to go "OK - whatever" on admin passw prompts anyway.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
mosc
Site Admin
Joined: Jan 31, 2003
Posts: 18260
Location: Durham, NC
Audio files: 228
G2 patch files: 60
|
| Posted: Sun Feb 12, 2006 5:05 pm Post subject:
|
|
|
| brinxmat wrote: |
Do these help the average user, on a single system? Their application is not easily managable. Does Apple provide any sensible tools for privileges management? |
I don't like Windows or OSX from the perspective of a systems administrator becuase so much of it is tools oriented, graphical tools that is. First, it's hard to manage a machine on the other side of a firewall. Second, it's hard to set up batch programs or scripts to do system admin tasks.
I think Unix system administrators make continuous use of the Unix programming environment with all of the shell programming features - sed, ed, awk, perl, sort, grep, etc. For people that don't know this methodology it's hard for them to understand its usefullness, but to those that use it everyday, GUI admin tools seem retarded.
_________________
--Howard
my music and other stuff |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Sun Feb 12, 2006 5:12 pm Post subject:
|
|
|
| mosc wrote: | | First, it's hard to manage a machine on the other side of a firewall. Second, it's hard to set up batch programs or scripts to do system admin tasks. |
This does not apply to OS X.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
blue hell
Site Admin
Joined: Apr 03, 2004
Posts: 24506
Location: The Netherlands, Enschede
Audio files: 298
G2 patch files: 320
|
| Posted: Sun Feb 12, 2006 5:19 pm Post subject:
|
|
|
| mosc wrote: | | sed, ed, awk, perl, sort, grep, etc. |
You can have such tools on windows, and a "proper" shell & stuff as well with cygwin or mingw, don;t know which is best, see http://en.wikipedia.org/wiki/Mingw maybe, they are mentioned both there and compared on some aspects.
_________________
Jan
also .. could someone please turn down the thermostat a bit.
|
|
|
Back to top
|
|
|
brinxmat
Joined: Oct 24, 2005
Posts: 262
Location: Norway
|
| Posted: Mon Feb 13, 2006 4:58 am Post subject:
|
|
|
| mosc wrote: |
I don't like Windows or OSX from the perspective of a systems administrator becuase so much of it is tools oriented, graphical tools that is. First, it's hard to manage a machine on the other side of a firewall. Second, it's hard to set up batch programs or scripts to do system admin tasks.
I think Unix system administrators make continuous use of the Unix programming environment with all of the shell programming features - sed, ed, awk, perl, sort, grep, etc. For people that don't know this methodology it's hard for them to understand its usefullness, but to those that use it everyday, GUI admin tools seem retarded. |
Er... The graphical admin tools from OS X are just Cocoa wrappers for *NIX command-line tools. The command-line variants are available on the command line. If a unix tool is unavailable as standard, it can be compiled into OS X. I don't understand. Mac OS X is NOT Mac OS, it is BSD *NIX. I have used Perl and grep extensively on OS X. Just like that. They are part of the BSD layer.
_________________
-- Say "&Eth;onne hit wæs hrenig weðer" |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Mon Feb 13, 2006 6:42 am Post subject:
|
|
|
It can be argued that one specific GUI tool isn`t 100% perfect. That is the webserver (Apache) GUI interface in OS X Server. It is basically not quite there even though the feature set is pretty cool. The integration of Apache has some minor flaws. It does not affect performance but instead it creates a minor hassle with some small issues. If you are planning to mess up Apache big time, then OS X Server is not the perfect platform. This has of course nothing to do with the UNIX bit of OS X.
There are of course other tools bundled in the OS X Server suite. Some of these aren´t just command wrappers. Instead they add "new" stuff. I don´t see this as a bad thing at all. The remote admin app for the XRAID product is excellent and Apple has also improved the firmware bigtime. The Apple admin GUI for users, groups and permissions for OS X Server is also a great tool. This one is a big time saver and the GUI makes perfect sense.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Mon Feb 13, 2006 7:19 am Post subject:
|
|
|
Trivia:
The foundations of Apple`s webbrowser products is the WebKit Open Source Project. http://webkit.opendarwin.org/
That is quite an interesting site to visit.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
mosc
Site Admin
Joined: Jan 31, 2003
Posts: 18260
Location: Durham, NC
Audio files: 228
G2 patch files: 60
|
| Posted: Mon Feb 13, 2006 11:58 am Post subject:
|
|
|
| elektro80 wrote: | | It can be argued that one specific GUI tool isn`t 100% perfect. That is the webserver (Apache) GUI interface in OS X Server. It is basically not quite there even though the feature set is pretty cool. The integration of Apache has some minor flaws. It does not affect performance but instead it creates a minor hassle with some small issues. |
Yes, this is what I was trying to express. If you use the Apple GUI tool to administer Apache, then you really can't edit the httpd.conf file or you'll mess up the GUI interface. GUI admin interfaces for UNIX systems are essentially text config file editors. Gennerally, they don't include the full-featured parsers found in the programs; they use a subset of what the programs understand. They expect the text config files to have this limited subset.
I generally avoid these GUI interfaces because I have learned how to run a server with the native config files. I write my own parsers and editors.
OSX is based on BSD but it has significant additional tangental development. From the perspective of an administrator, they aren't the same. I once changed a password with the passwd command and caused Mr. Elektro80 considerable grief.  I've learned to be pretty careful not to make assumptions that OSX is just another UNIX system.
_________________
--Howard
my music and other stuff |
|
|
Back to top
|
|
|
mosc
Site Admin
Joined: Jan 31, 2003
Posts: 18260
Location: Durham, NC
Audio files: 228
G2 patch files: 60
|
| Posted: Mon Feb 13, 2006 12:08 pm Post subject:
|
|
|
| Blue Hell wrote: | | mosc wrote: | | sed, ed, awk, perl, sort, grep, etc. |
You can have such tools on windows, and a "proper" shell & stuff as well with cygwin or mingw, don;t know which is best, see http://en.wikipedia.org/wiki/Mingw maybe, they are mentioned both there and compared on some aspects. |
I use cygwin on my XP machines. It's really great, but sometimes it runs up against the XP permissions and hits a brick wall. I"ve never tried mingw. These UNIXes that load under Windows are very convenient and useful, but in an of themselves they are insufficient for administering Windows machines.
My point was not that the UNIX programs aren't available on the other OSes, it's that you can't adminsiter the machines with them.
_________________
--Howard
my music and other stuff |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Mon Feb 13, 2006 12:16 pm Post subject:
|
|
|
Well, this is simply about the integration with Apache on OS X Server. The plain client system is as you would expect any other nix would play. The GUI for Apache on the OS X Server is however the the only section of OS X I have found badly documented. The comments in the settings files are way out into lala country.
As for the passw thingie, this was just mainly about me running a different set of security policies. On a public system, never use nix user accts for the FTP. I know campus servers are set up in the old fashioned way, and this is of course cool with a LAN only server rig, but when the server is in the DMZ zone.. then having a full integration of local and remote nix users to services like FTP.. no no no no..!
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
mosc
Site Admin
Joined: Jan 31, 2003
Posts: 18260
Location: Durham, NC
Audio files: 228
G2 patch files: 60
|
| Posted: Mon Feb 13, 2006 2:10 pm Post subject:
|
|
|
| elektro80 wrote: | | but when the server is in the DMZ zone.. then having a full integration of local and remote nix users to services like FTP.. no no no no..! |
As you know. I DO like running FTP as an independent application. Aside from it being something that costs money, it's great. I won't mention the application's name for security purposes.
_________________
--Howard
my music and other stuff |
|
|
Back to top
|
|
|
elektro80
Site Admin
Joined: Mar 25, 2003
Posts: 21959
Location: Norway
Audio files: 14
|
| Posted: Mon Feb 13, 2006 2:36 pm Post subject:
|
|
|
| mosc wrote: | | As you know. I DO like running FTP as an independent application. |
I know.
_________________
A Charity Pantomime in aid of Paranoid Schizophrenics descended into chaos yesterday when someone shouted, "He's behind you!"
MySpace
SoundCloud
Flickr |
|
|
Back to top
|
|
|
GovernorSilver
Joined: Apr 26, 2004
Posts: 1349
Location: Washington DC Metro
G2 patch files: 1
|
| Posted: Wed Feb 15, 2006 3:02 pm Post subject:
|
|
|
| elektro80 wrote: | | Yes. The new Battlestar Galactica is really cool. I never liked BG-TOS, but this one is good. |
And the new Cylons are much, much better looking (eg. Number 6).
I was skeptical of the new Starbuck and Boomer, but I like both characters a lot now. Actually, ALL the original characters have more personality now. Richard Hatch (the original Apollo) also does a nice job as the shadowy terrorist-turned-politician Tom Zarek. And Mary McDonnell is brilliant as President Roslyn (another "new" character), a worthy foil for Adama (also brilliantly played, by Edgar James Olmos). |
|
|
Back to top
|
|
|
|
Forum index » News... » Apple Computers
FAQ
Calendar
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Chat Room
