new user id system idea.

[ericr]

The idea as presented would be very handy.  In fact, I once implemented
the group administrator idea when I was at Washington State Univ.  The
main reason we did it was to overcome the system imposed limit of 
255 uid's which we had at the time.  The side-effect however was that
a TA could manipulate his student accounts without free run of the system.

Unfortunately, I did that some years ago and have no listings left.  WSU
cs dept. may still have it, but I am not sure.  

On the negative side about your suggestion, I see how many loopholes that
can develop in our two-level security scheme; I just cringe when I think
of what can develop with this multi-dimensional matrix that you suggest.

I short, I think that security would suffer greatly.  Several other systems
including Hewlett Packard's MPE and Digital's RSX series OS's used more of
a single dimension scheme where each use had a set of permission flags.

I am more familiar with MPE so I will discuss some of its features.

First, the 'super-user' has the SM (System Manager bit) set.  This will
allow him free run.

The next level down is the 'AM' bit.  He can create users within his account
with their own logins and give them any permissions that he himself has.

Then, there is the interactive permissions and batch permission flags.

On the administration side, there is the OP (Operator) which will allow 
such sundry tasks as Spool control, backups, etc.  He has no control on
the account structure.  The real beauty of this scheme is that you can
mix and match to your heart's content to get the appropriate security
scheme for each user.  

So, what I am suggesting is possibly the present uid and gid and an
additional perm field which has permissions which can be individually
mixed and matched.

You asked for an opinion and you got it :) 

Eric Ross
ihnp4!hpfcla!hpvcla!hpvclc!ericr
Hewlett Packark
Vancouver, Division
(206)254-8110