Find the answer to your Linux question:
Results 1 to 10 of 10
Does anybody know if there is something similar to Resultant Set of Policy (RSoP from Windows Server 2003) implemented under Linux (any kind of distribution)?...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2004
    Posts
    4

    RSoP in Linux


    Does anybody know if there is something similar to Resultant Set of Policy (RSoP from Windows Server 2003) implemented under Linux (any kind of distribution)?

  2. #2
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Well, for those of us that don't use Windows, could you explain with this RSoP does? ;-)

  3. #3
    Just Joined!
    Join Date
    Jul 2004
    Posts
    4

    RSoP details

    This is written in the help of RSoP:

    Resultant Set of Policy (RSoP) is an addition to Grup Policy that makes policy implementation and troubleshooting easier. RSoP is a query engine that polls existing policies and planned policies, and then reports the results of those queries. It polls existing policies based on site, domain, domain controller, and organizational unit. RSoP gathers this information from the Common Information Management Object Model (CIMOM) database (otherwise known as CIM-compliant object repository) through Windows Management Instrumentation (WMI).
    RSoP provides details about all policy settings that are configured by an Administrator, including Administrative Templates, Folder Redirection, Internet Explorer Maintenance, Security Settings, Scripts, and Group Policy Software Installation.
    When policies are applied on multiple levels (for example, site, domain, domain controller, and organizational unit), the results can conflict. RSoP can help you determine a set of applied policies and their precedence (the order in which policies are applied).
    It is a query engine that polls existing policies and planned policies, and then reports the results of those queries.
    [/code]

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Since Linux doesn't use any kind of policy in the Windows sense, I don't think it cleanly applies. What exactly is it that you're trying to do, in a Linux sense?

  6. #5
    Just Joined!
    Join Date
    Jul 2004
    Posts
    4
    I have a presentation on RSoP and a comaparation with Linux would have been wellcome.

  7. #6
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Well, I have to admit I don't know Windows very well, but if I'm not completely off the mark here, these policy things in Windows is like account-wide permissions, right?

    The thing is, Linux/UNIX don't have that kind of per-account permissions, they only use per-file permissions. The only kind of per-account permissions Linux and UNIX have is that root is allowed to do more stuff, but that's very monolithical and there's little you can do to alter it.

    I don't know if maybe you want to check out kernel modifications like NSA SELinux and RSBAC. That's as close as you get to per-account permissions in Linux.

  8. #7
    Just Joined!
    Join Date
    Jul 2004
    Posts
    4
    I'm afraid I don't get the difference btw a per-account permission, and a per-file permission.
    In Windows, when you want to acces a directory/file across a network or on a local computer, the system checks if the user with you are logged in belongs to a group that has the permission to access it. The problem is when a user belongs to more than 1 group that are set permission for. If you are in the Administrators group, and also in a group called BizDepartement, and BizDep is not allowed to see a share resource, you might wanna see what rules are applied to you.
    Some rules are more restrictive than others, have priority over others. This complicates more in NTFS because you can share a directory and also set security permission in each file from that dir. Isn't this per-file permission?
    For how I see it those 2 type of permission are mixed up in win.

    I've seen in Linux that you can have groups of users. So what happens if you set permission on a file and a user which belong to groups with different restrictions try to acces it?

  9. #8
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Oh, I think I see your point now.

    In that case, I think I can explain it. In plain (that is, without ACLs) UNIX or Linux, that isn't a problem at all, because the permission checking is very well defined. It consists of three steps:
    1. If the effective UID of the process trying to access a file is the same as the UID on the file, access is checked against the user bits of the mode, and access is granted accordingly.
    2. If the effective GID of the process trying to access a file is the same as the GID on the file, access is checked against the group bits of the mode, and access is granted accordingly.
    3. If none of those match, access is checked against the "other" bits of the mode, and access is granted accordingly.
    That is, if the UID or GID matches, then the process stops at step 1 or step 2 respectively.

    If you work on a Linux or UNIX system with POSIX ACLs, the process is a bit more complicated. I'm not exactly sure how it works, but if I recall correctly, POSIX ACL permissions are always additive, that is, if you have access in at least one ACE, then you're granted access to the file. Otherwise, you're denied access. However, even with ACLs, the user ACEs are checked first, then the group ACEs, and last the "other" ACE, and at each of these three steps, the process continues only if there has not been a single match.
    You shouldn't take my work about that on POSIX ACLs, though. If you want to be sure, either make a few tests yourself or send a mail to the Linux POSIX ACL mailing list at acl-devel@bestbits.at.

  10. #9
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    The equivalent of this in Linux would be OpenLDAP. This will allow you to have a server housing all the home directories for the network. When a user logs in at any terminal on the network, he has the same permissions. Basically, each machine becomes the same for the user no matter where he is (Windows Domain/Directory Service) and the above explained permissions apply (great explaination Dolda ).
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  11. #10
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Well, that's not really OpenLDAP, though. For one thing, LDAP offers only a directory service for user info (the same info that's in your /etc/passwd on normal systems). It doesn't offer home directory sharing or any kind of roaming profiles. You can also use NIS instead of LDAP.
    As for home directory sharing, that's NFS for you (yes, you can use CIFS over Samba, but why, when there's NFSv4 with Kerberos authentication?).
    While you can do authentication with LDAP the same way you can with NIS, that's kind of ugly, and for network authentication, I would like to point to Kerberos instead, which also gives you Single Sign-On.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •