Slashdot Mirror

← Back to Stories (view on slashdot.org)

FreeBSD Access Control Lists

Posted by michael on from the chmod-777-much-easier dept.

BSD Forums writes "The Unix permissions model has worked for decades due to its flexible simplicity. It's not the only approach, though. FreeBSD 5.0 supports Access Control Lists, which allow for more flexible permissions. Daniel Harris explains what ACLs can make easier."

6 of 108 comments (clear)

  1. Now correct me if I'm wrong... by Ataru · · Score: 3, Interesting

    But Windows NT has had ACLs for some time now.
    A lot of people have derided the concept.
    But as far as I can see, they are a complete superset of the Un*x system.
    It's pretty hard to argue that it's not as good.
    Discuss.

  2. Re:Management cost vs. flexibility by Paul+Jakma · · Score: 4, Interesting

    Well, the answer is to assign the permission to a group, not to Bob directly. But, drat, then you are back to using groups. :)

    The prime problem which ACLs solve or rather work-around, is that users:

    - have no way to specify their own collection of users (they have to ask the admin to create a group)

    AND

    - a user can not chgrp a file to any group of which they are not a member (security)

    ACLs provide normal users a means to assign permissions to files by arbitrary users, and (iirc) arbitrary groups. But they are, as you point out, a management nightmare - while being a feature very few people actually need.

    --
    I use Friend/Foe + mod-point modifiers as a karma/reputation system.
  3. ACL's rock. by craig2787 · · Score: 4, Interesting

    I had a directory that I wanted 777 for all but user www. The solution was simple with ACL's; it eliminated the need for adding a new group for one measly dir.

    Go ACL's!

  4. Default permissions by Col.+Klink+(retired) · · Score: 3, Interesting

    It's not like FreeBSD is the first to have ACLs. Solaris and Linux both support them as well.

    One thing I like under Solaris ACLs is you can set a "default" permission. I always have my default umask set to 027, but I do some collaborative work in some shared directories and it's nice to be able to force any files created in that directory to be writeable by the group. ACLs on Solaris completely ignore the umask.

    Under Linux, however, the ACLs work with the umask. I can set default permissions for a directory to be group read-only and files created by someone with a 007 umask will be set to read-only, but I can't do the opposite.

    I believe Linux is doing the POSIXly correct thing, but I don't find it very useful.

    --

    -- Don't Tase me, bro!

  5. Re:Netware ACLs were best ever by __past__ · · Score: 2, Interesting

    As far as I can see, the ACLs in FreeBSD/UFS2 (following the POSIX.1e proposal) just know the traditional read-write-execute/search permissions, only with more fine-grained possibilities to assign these rights to users and groups. However, the FreeBSD implementation seems to be flexible enough to support additional flags - in fact, the acl(3) manpage explicitly mentions nonportable functions for Netware style ACLs (and some others, like NTFS). I have no idea how to actually use that, however.

    --
    Programming can be fun again. Film at 11.
  6. ACL's . .Good and Bad by nurb432 · · Score: 3, Interesting

    95% of the time they just increase overhead for the admins, but for that 5% that you really NEED them for, they are a godsend...

    --
    ---- Booth was a patriot ----