quoted from below: "ACLs take care of access control problems that are overly complicated or impossible to solve with the normal Unix permissions system. By avoiding the creation of groups and overuse of root privileges, ACLs can keep administrators saner and servers more secure."
See:
Contents
Notes
Unix permissions are flexible and can solve almost any access control problem, but what about the ones they can't? Do you really want to make a group every time you want to share a file with another user? Perhaps you don't have root, and you can't create a group at will. Sometimes the limitations can cause security problems; it would be nice to be able to make a directory available to a web server or other user without making the files world-readable or world-writable. Root-owned configuration files often need to be edited by those without root privileges; instead of using programs like sudo or calife and risking shell escapes in editors, it would be better just to allow certain non-owners to edit these files.
Access Control Lists (ACLs) solve these problems. They allow more flexibility than the standard Unix user/group/other set of permissions. ACLs have been available in commercial UNIXes such as IRIX and Solaris (and in Windows NT) for years. Now, thanks to the TrustedBSD project's work, ACLs are available in FreeBSD 5.0-RELEASE and beyond. Much of the information below applies, at least in part, to ACL implementations on other platforms; however, you will want to look at specific documentation to avoid being tripped up by differences in syntax. There shouldn't be many, as FreeBSD attempts to conform to the latest POSIX.1e draft.
...
Looking at ACLs is simple. Files with ACLs will be designated with a + in the long listing provided by ls -l:
-rw-rw-r--+ 1 rob rob 0 Apr 19 17:27 acl-test
To see the ACL, just use the getfacl command:
$ getfacl acl-test
#file:acl-test
#owner:1000
#group:1000
user::rw-
user:nobody:rw-
group::r--
group:wheel:rw-
mask::rw-
other::r--
The user::, group::, and other:: fields should all be familiar. They are nothing but the ACL representations of the standard UNIX permissions system. The nobody and wheel lines, however, are new. These specify permissions for specific users and groups (in this case nobody and wheel) in addition to the normal set of permissions.
...
- Conclusion
- ACLs take care of access control problems that are overly complicated or impossible to solve with the normal Unix permissions system. By avoiding the creation of groups and overuse of root privileges, ACLs can keep administrators saner and servers more secure.
Contributors
- () RandyKramer - 05 Oct 2003
- If you edit this page: add your name here; move this to the next line; and if you've used a comment marker (your initials in parenthesis), include it before your WikiName.
Revision Comment
Page Ratings