Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Access Control Lists

Posted by michael on from the chmod-777-much-easier dept.

BSD Forums writes "The Unix permissions model has worked for decades due to its flexible simplicity. It's not the only approach, though. FreeBSD 5.0 supports Access Control Lists, which allow for more flexible permissions. Daniel Harris explains what ACLs can make easier."

2 of 108 comments (clear)

  1. Re:Now correct me if I'm wrong... by Przepla · · Score: 4, Informative
    Typical problem is removing read-rights from the backup account.
    Well in FreeBSD that is not a problem, since operator account was designed to do backups. This user has a read-only right to any filesystem. You have to use root account to set no-dump flag however.
    --
    When in doubt, go to the library. - Ron Weasley in Harry Potter and the Chamber of Secrets
  2. Netware ACLs were best ever by swb · · Score: 3, Informative

    Netware ACLs were the best and simplest to work with. I still miss them. For those with no Netware experience, directories had the following attributes:

    Read, Write, Create, Erase, Modify, File scan (see directory contents), Access control (ability to change attributes for these properties for yourself or others), and Supervisory which enabled turning any of these bits on or off regardless of their status.

    IIRC, RF was the default permission. Subdirectories always inhereited the permissions of their parents, although the above permissions could be selectively blocked from inheritance.

    My favorite feature (which if 2K had would make life lots easier), was directory traversal rights were automatic. If I as a user have RWCEMF rights to directory BAR located in directory tree /usr/local/foobar/foo/bar but am explicitely excluded from rights to foobar/ and foo/, I can still get to my directory and only see just the directories I need to navigate the file system.

    Systems without traversal rights like this require some pretty convoluted logic to make them work, like home folders in Win2k. You need to make HOME readable to everyone so it can be mounted and people can find their home directories, but each user home directory needs inheritance blocked and specific user rights assigned. In Netware rights, you just grant the user rights to their directory, admin rights to HOME, and inheritance and directory traversal make it work.

    I hope BSDs ACLs include automatic minimal traversal rights and inheritance.