i have a folder on a system where users exist, can't delete other sub dirs but can use their own files and create new folders. i believe its called /home
And I believe that is not what I asked.

I asked "So how will groups help you set up directory that allows a user to delete files, but not subdirectories while allowing the user to create subdirectories (with a predefined set of rights different than the original directory) but not new files and disallows the user to execute files or traverse the directory and allowing them to read file attributes but not read file security settings?"

If you have difficulty grasping the difference, we shouldn't be having this conversation.

root can be knocked down enough to not have full access. though i dont see your big deal over it. root should have that access. only an idiot is going to run something as root that could potentially harm the system in the first place.
Modifying root in such a manner is non-traditional UNIX security (I believe I mentioned the idea of muddying the waters with CAF, MLS, and SE extensions).

You don't see my problem with root?

"vulnerability
A weakness in system security procedures, system design, implementation, internal controls,
etc., that could be exploited to violate system security policy."
-NCSC-TG-004 "Glossary of Computer Security Terms" (Teal Green Book)

What would you call an account that has access to things not granted to it by the access control policy? Seems like a vulnerability to me... oddly enough the NSA agrees with this... whodathunkit?

the number of compromised systems vs how secure it is.... yea that would be dumb wouldn't it, i mean security being how secure you can make something maybe its the idiot windows admins alloowing those nasty break ins that are at fault and not windows developers for skipping out on the coding for jack asses class.
I tell you what... name me a single (that means one) vulnerability in the Windows 2000 operating system that was a true vulnerability... where the system security policy was violated. Name just one.

If you can't name one we have nothing further to discuss.
If you post bad examples where the exploit occurred within the bounds of a lax security policy I will take that to mean that you have no clue what vulnerabilities are, how they are classified, and what exactly a security policy is.

If you would like me to provide you acedemic papers on this topic I would be more than happy to do so. If you wish to rely on simple numbers of compromised systems (that not only fail to reveal any useful information, but the numbers themselves are suspect as well), more power to ya, just please don't waste any more of my time.

cheers,

catch