|
|
Subscribe / Log in / New account

Rich access control lists

Rich access control lists

Posted Oct 25, 2015 1:44 UTC (Sun) by idra (guest, #36289)
In reply to: Rich access control lists by fandingo
Parent article: Rich access control lists

> This is entirely incorrect and undermines your entire point. ACL resolution order is an explicit feature of Linux ACLs (and traditional POSIX mode bits). Let's say I'm using traditional ACLs, and a file has permissions r-----rw-. It's owned by me, and the group doesn't matter. This is a negative policy! I am not allowed to write to this file, but others are.

Sorry man but you are very confused. First of all with as Posix permissions and not Posix ACLs, that said the default is no access ---, you have been given read access by turning on the r bit. Perimissions cannot be accidentally dropped so that case does not apply to the basix posix permissions. In any case if that bit were dropped you'd lose read access, whic is consistent with what I said.

> How do I put this nicely? I don't want design limitations because some people are too stupid to learn the tools. That's their problem. Don't mount with the Richacl option if you don't know what you're doing.

Tools are as good as they are usable by *normal* people. A car only a F1 drvier can use is ... how can I put it nicely ... useless to everyone but the 20 odd F1 driver on the planet, which is to say uselss.

Now RichACLs are not *that* hard, but my experience tells me that ACL systems the include ordered deny policy are a double-edged sword, and the balance between complexity and usefulness is wrongly tilted. All this said I need RichACLs to be able to reach compatibility with Windows ACLs so I'll take them as they come.

> I don't understand what you're getting at.

Sadly obvious.

> Back in the early NT days, yes, there were tooling problems, but those have been long corrected. Maybe you can be more specific, but this has been fixed for ages. There are some low-level APIs that allow insertion of ACLs without resolving the overall policy, but they're counter-recommended and proper versions have been around for a long time. But, hey, nothing like a Linux forum criticizing Microsoft with severely outdated information.

Look, those issues were not bugs that got fixed and are there no more, they are fundamental usability issues that are due to the semantics chosen. They just got "handled" by adjustment done by the GUI tools. Now there is no criticizing here *at all* (that's all in your mind pal), but only making people unfamiliar with these semantics that the *same* problems will now be found in systems used by Linux admins. They can be solved the same way, by forcing the tools to reorder the ACIs and massahe the ACLs, but afaik the tools do not do that today.

to post comments

Rich access control lists

Posted Oct 25, 2015 4:30 UTC (Sun) by mathstuf (subscriber, #69389) [Link]

> that said the default is no access ---

No, the default is 0777. You set umask to take bits away.

Rich access control lists

Posted Oct 25, 2015 9:06 UTC (Sun) by paulj (subscriber, #341) [Link]

Bizarre, why use order-significant ACLs if to make them usable tools must then - all, consistently! - normalise the order somewhat?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds