FreeBSD Access Control Lists

BSD Forums writes "The Unix permissions model has worked for decades due to its flexible simplicity. It's not the only approach, though. FreeBSD 5.0 supports Access Control Lists, which allow for more flexible permissions. Daniel Harris explains what ACLs can make easier."

Re:Now correct me if I'm wrong...

[Przepla]

Typical problem is removing read-rights from the backup account.

Well in FreeBSD that is not a problem, since operator account was designed to do backups. This user has a read-only right to any filesystem. You have to use root account to set no-dump flag however.

Netware ACLs were best ever

[swb]

Netware ACLs were the best and simplest to work with. I still miss them. For those with no Netware experience, directories had the following attributes:

Read, Write, Create, Erase, Modify, File scan (see directory contents), Access control (ability to change attributes for these properties for yourself or others), and Supervisory which enabled turning any of these bits on or off regardless of their status.

IIRC, RF was the default permission. Subdirectories always inhereited the permissions of their parents, although the above permissions could be selectively blocked from inheritance.

My favorite feature (which if 2K had would make life lots easier), was directory traversal rights were automatic. If I as a user have RWCEMF rights to directory BAR located in directory tree /usr/local/foobar/foo/bar but am explicitely excluded from rights to foobar/ and foo/, I can still get to my directory and only see just the directories I need to navigate the file system.

Systems without traversal rights like this require some pretty convoluted logic to make them work, like home folders in Win2k. You need to make HOME readable to everyone so it can be mounted and people can find their home directories, but each user home directory needs inheritance blocked and specific user rights assigned. In Netware rights, you just grant the user rights to their directory, admin rights to HOME, and inheritance and directory traversal make it work.

I hope BSDs ACLs include automatic minimal traversal rights and inheritance.

Old news...

[BrokenHalo]

I have no idea about Windows NT, but "real" operating systems of yore such as Honeywell's ancient GCOS (usually referred to as God's Chosen Operating System) back in the late 70s and early 80s, PRIME's PRIMOS (1980s) and Data General's AOS/VS (1980s) and AOS/VS2 (early 1990s) all had effective implementations of ACLs. Nothing new here.

Re:Default permissions

[someonehasmyname]

I use that umask also. It means that files he creates are automatically chmodded to 640 and directories are automatically chmodded to 750.

"man umask" will tell you that you need to subtract the desired permissions from 777 to get the appropriate umask value.

You use numbers and not "chmod a+rw", right?

Re:Default permissions

[Col.+Klink+(retired)]

I'm using ACLs under ext3. It supports "default" ACLs, just not the same way Solaris does. Actually, the Solaris 2.6 man page for setfacl says:

If a file is created in a directory that contains default ACL entries, the newly created file will have permissions generated according to the intersection of umask(1), the default ACL entries, and the permissions requested at creation time.

However, the setfacl man page under Solaris 9 say:

The umask(1) will not be applied if the directory contains default ACL entries.

Despite the fact the 2.6 and 9 have opposite descriptions of their behavior, both 2.6 and 9 behave as described in the Sol 9 man page. Linux behaves as the Sol 2.6 man page describes.