pavement

ACL

From FreeBSDwiki
Revision as of 17:10, 29 July 2012 by DavidYoung (Talk | contribs)
Jump to: navigation, search

ACL - acronymic for Access Control List. Using the ACL model, any number of users and groups may have any number of different and/or overlapping permissions on a single file or directory. An NT style ACL, if you could view one directly and it was written in English, might look something like this:

Permissions for FILE:

owned by: [user STEVE]

user JOE: [read]
group GUYS: [read], [write]
group MEANIES: [disallow delete]
everyone: [no permissions]
Inherit parent permissions? [yes]

Interpreting this ACL properly can be tricky. What are JOE's effective permissions on this file? The short answer is, we have no idea! Why not? Well, first of all, we need to know whether JOE is a member of GUYS and/or MEANIES. Assuming that he is a member of GUYS and also of MEANIES, we now see that JOE has read and write permissions, but no delete permissions... or so we think. The catch is, this file has the "inherent parent permissions" flag set, so JOE might actually have anything from full permissions (except delete) to no permissions at all on this file, depending on what the parent - and possibly its parent, and so on ad infinitum - allows or specifically disallows!

The effective privilege level that JOE has on this file will actually be determined by first adding together all the permissive information from all the ACLs of FILE and its parent directories, then subtracting all the restrictive information - so we know JOE won't be able to delete FILE, since we saw him specifically disallowed from doing so in FILE's own ACL, but we don't really know whether or not he is or is not allowed to do anything else to it without examining every ACL that could potentially bear.

As an example, If FILE was actually C:\INETPUB\Sites\Realtors\JeffreyStokes.com\Images\Houses\SplitLevelRanch\Downtown\001.jpg on a Windows system, you would need to parse a total of ten separate ACLs (from the root of the C: drive all the way to the Downtown folder as well as 001.jpg itself) before you actually knew who could do what to 001.jpg.

Unixlike systems, including FreeBSD, generally use a more simplistic numeric permissions model, in which every file is owned by one User and one Group, and only three permission levels can be set: Owner, Group, and World. So let's examine FILE as it might be on a FreeBSD system using standard numeric permissions:

-rwxr-x---  1 STEVE            GUYS                 431 Mar 17  2003 FILE

This is the actual output of the ls command, with the -l flag. It tells us, among other things, that FILE is owned by the user STEVE and the group GUYS, and the permissions are rwx, rw-, and --- - meaning that STEVE can read, write, or execute FILE, the members of GUYS can read or execute FILE but not write to (or delete) it, and anyone else can't do anything at all with FILE. These three sets of permissions are known as "Owner/Group/World" permissions, and nothing can be inherited from anything else - what you see is what you get.

So which is better, ACLs or numeric permissions? It depends on who you ask, and what your needs are. Numeric permissions tend to lead to faster filesystems, as the overhead of checking ACLs, particularly ACLs with inheritable permissions, can sometimes add surprisingly dramatic amounts of overhead to simple file and directory manipulations. And even the apparent strength of ACLs - their obviously greater flexibility and granularity - can be their downfall; it is not at all uncommon for administrators of ACL'ed systems to be completely mistaken about the effective permissions on any given file because they forgot what it is inheriting from its parents, or didn't notice an allow or a deny explicitly set for one of several different groups which all have various conflicting privileges set on the same file.

As of the writing of this article, all versions of FreeBSD use numeric permissions models by default; however all versions of FreeBSD 5.x are capable of enabling ACLs using the tunefs command if so desired. As always, think carefully before enabling a new and far-reaching addition to your system - there are disadvantages and advantages to both models, and which model will be most appropriate is different for every system.

[ONLamp article on ACLs]

Contents

15 Things You Should Give Up To Be Happy

Here is a list of 15 things which, if you give up on them, will make your life a lot easier and much, much happier. We hold on to so many things that cause us a great deal of pain, stress and suffering and instead of letting them all go, instead of allowing ourselves to be stress free and happy we cling on to them. Not anymore. Starting today we will give up on all those things that no longer serve us, and we will embrace change. Ready? Here we go:

[15 Things You Should Give Up To Be Happy]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Awakening Our Collaborative Spirit

The physicist, David Bohm, while researching the lives of Einstein, Heisenberg, Pauli and Bohr, made a remarkable observation. Bohm noticed that their incredible breakthroughs took place through simple, open and honest conversation. He observed, for instance, that Einstein and his colleagues spent years freely meeting and conversing with each other.

[Awakening Our Collaborative Spirit]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

The Second Glance

Have you ever cringed at the sight of a human being who is physically disfigured? David Roche, who was born with a facial disfigurement, spent years trying to hide from himself. At middle age, he discovered his inner beauty, his spirit and his strength, and he has dedicated his life to helping all people find the inner beauty within themselves and in others.

[The Second Glance]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Learning from the Wisdom of the Body

"Its amazing that our interpretation of experiences can generate intense visceral responses. The fact that we get goosebumps when we are inspired or afraid is one of many everyday indicators of just how deeply and intricately connected our minds and bodies are. In fact, the mind and body are an intertwined whole -- and there is great wisdom in the totality of our mind-body experience.

[Learning from the Wisdom of the Body]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Food People Power

For many years, people living in West Oakland had accepted eating unhealthy food as a way of life. That is, until a small group of people decided to change their community through Mandela MarketPlace, a non-profit that partners with local residents and rural, minority farmers to bring fresh agricultural produce to their local corner stores. Mandela MarketPlace now represents the difference that youth can make by challenging prevailing paradigms - you CAN select what you put in your body.

[Food People Power]

[GoodvilleNews.com - good, positive news, inspirational stories, articles]

Personal tools