Slashdot Mirror
FreeBSD Access Control Lists
BSD Forums writes "The Unix permissions model has worked for decades due to its flexible simplicity. It's not the only approach, though. FreeBSD 5.0 supports Access Control Lists, which allow for more flexible permissions. Daniel Harris explains what ACLs can make easier."
But Windows NT has had ACLs for some time now.
A lot of people have derided the concept.
But as far as I can see, they are a complete superset of the Un*x system.
It's pretty hard to argue that it's not as good.
Discuss.
Flexible systems solve more of the initial problem but tend to be harder to manage. (Pick your favorite example: Linux vs. Mac, C++ vs. Java, Civilization vs. Quake, ...) What I worried about back when I used ACLs was that roles can change over time. Yes, I have some directory that Bob should have access to. Two months from now, Alice joins Bob's group and takes over his duties, so she needs access. Can Bob grant that access? Now what happens when Bob transfers to a different group? Who's going to go around checking all files accessible by Bob to determine which of them were accessible by him because he's working on some particular project and which were accessible because he's a good buddy of mine? What if you forget to do this?
Keep it simple. If not for yourself, for your children, and your children's children.
-- Amit (overgeneralizing)Fact me 'til I fart.
Bitch.
Why in the hell would anybody still reply to a *BSD is dying troll?
Why the hell would anyone touch your feces infested cock?
Ooh, Anonymous Coward, you're so brave. I've always wanted to be like you.
Do you feel better now? Have you considered how sad your life is? Give some thought to what mistakes you've made to bring you to this point. I wish you the best.
I had a directory that I wanted 777 for all but user www. The solution was simple with ACL's; it eliminated the need for adding a new group for one measly dir.
Go ACL's!
thanks for linking to the printable version, saves me a click!
It's not like FreeBSD is the first to have ACLs. Solaris and Linux both support them as well.
One thing I like under Solaris ACLs is you can set a "default" permission. I always have my default umask set to 027, but I do some collaborative work in some shared directories and it's nice to be able to force any files created in that directory to be writeable by the group. ACLs on Solaris completely ignore the umask.
Under Linux, however, the ACLs work with the umask. I can set default permissions for a directory to be group read-only and files created by someone with a 007 umask will be set to read-only, but I can't do the opposite.
I believe Linux is doing the POSIXly correct thing, but I don't find it very useful.
-- Don't Tase me, bro!
I dunno, the trolls aren't as creative, but the OS is pretty solid.
The drives probably running in PIO4, if you're too stupid to RTFM you probably should check the man pages, etc. Or switch to an equally crappy Linux distro such as Roothat.
*BSD is for the enterprise, not some stupid Linux fuckhead that runs it on their desktop and complains about it being slow becasue its not configured properley.
I bet you owning a fucking mac as well.
Bloody *BSD users - mindless zealots.
Isn't it time Slashdot make use of ACL's to prevent the "*BSD is dying trolls" ?
Netware ACLs were the best and simplest to work with. I still miss them. For those with no Netware experience, directories had the following attributes:
/usr/local/foobar/foo/bar but am explicitely excluded from rights to foobar/ and foo/, I can still get to my directory and only see just the directories I need to navigate the file system.
Read, Write, Create, Erase, Modify, File scan (see directory contents), Access control (ability to change attributes for these properties for yourself or others), and Supervisory which enabled turning any of these bits on or off regardless of their status.
IIRC, RF was the default permission. Subdirectories always inhereited the permissions of their parents, although the above permissions could be selectively blocked from inheritance.
My favorite feature (which if 2K had would make life lots easier), was directory traversal rights were automatic. If I as a user have RWCEMF rights to directory BAR located in directory tree
Systems without traversal rights like this require some pretty convoluted logic to make them work, like home folders in Win2k. You need to make HOME readable to everyone so it can be mounted and people can find their home directories, but each user home directory needs inheritance blocked and specific user rights assigned. In Netware rights, you just grant the user rights to their directory, admin rights to HOME, and inheritance and directory traversal make it work.
I hope BSDs ACLs include automatic minimal traversal rights and inheritance.
I have no idea about Windows NT, but "real" operating systems of yore such as Honeywell's ancient GCOS (usually referred to as God's Chosen Operating System) back in the late 70s and early 80s, PRIME's PRIMOS (1980s) and Data General's AOS/VS (1980s) and AOS/VS2 (early 1990s) all had effective implementations of ACLs. Nothing new here.
Let's face it. We've all known that the classical Unix security model (uid/gid) was not fine-grained enough for modern usage. But the problem has always been that the alternatives were complicated. That is the standard argument against ACL's. The reality is that this is a messy problem that doesn't have any elegant solutions. If there was a simple solution, someone would have found it by now. So, the best thing to do is to implement the current solution (ACL's) and make it work as smoothly as possible.
I'm definitely not a Microsoft fan. But one quality of Microsoft that I admire is that they are not afraid to move forward in situations where there are no clean solutions. By contrast, the Unix community often gets bogged down in such situation and is unable to make progress for long periods of time. I realize this is somewhat unfair, since Microsoft developers get paid to do this grunt work. But if Linux/*BSD wants to compete directly with Microsft (as many advocates claim), it must do the same.
Hoping to effect change?
/. would stop it)
(If this was a VA Reseach/VA Linux/whatever they are now is dead post, the adminstration on
Good Lord, there are more -1 posts on this article, than 0-5 posts.
So many losers so few BSD's articles.
95% of the time they just increase overhead for the admins, but for that 5% that you really NEED them for, they are a godsend...
---- Booth was a patriot ----
oops, I mouse-o'ed while moderating. This post exists only to cancel that moderation.
Mandatory security is the way to go. NSA Secure Linux and LOMAC are the best known steps in that direction. LOMAC, from Network Associates, was a big step in the right direction. NA did that for Linux, made it open source, but stopped development a while back, possibly because Microsoft got nervous about improved Linux security. (Microsoft is known to have lobbied heavily against NSA Secure Linux.)
The problem with mandatory security is that it really works. You then have to go and fix all the tools that cross security boundaries and shouldn't.
The key project here would be to take NSA Secure Linux or LOMAC and make a mail server, a DNS server, and Apache work within the restrictions. That would be very, very useful.
It is common knowledge that *BSD is dying, that ever hapless *BSD is mired in an irrecoverable and mortifying tangle of fatal trouble. It is perhaps anybody's guess as to which *BSD is the worst off of an admittedly suffering *BSD community. The numbers continue to decline for *BSD but FreeBSD may be hurting the most. Look at the numbers. The loss of user base for FreeBSD continues in a head spinning downward spiral.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of BSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major marketing surveys show that *BSD has steadily declined in market share. *BSD is extremely sick and its long term survival prospects are very dim. If *BSD is to survive at all it will only be among hobbyist dilettante dabblers. In truth, for all practical purposes *BSD is already dead. It is a dead man walking.
Fact: *BSD is dying
I was using ACLs long before I began using FreeBSD and I've reduced my explanation of ACLs to the uninitiated to the following dialogue:
Mike: "My mama didn't raise no fool!"
Bob: "So who raised you, then?"
Show me a shorter explanation of ACLs and I will post a troll about Linux. Oh, wait, this was it.
Subject says it all.