On Wednesday 01 April 2009 17:01:15 Mark David Dumlao wrote: > On Wed, Apr 1, 2009 at 12:31 PM, Steven Lembark <lemb...@wrkhors.com> wrote: > > The scheme works rather nicely in nearly > > every situation (POSIX ACL's play hell with > > the scheme, but, then, they are supposed to). > > That being said, is there anyone who swears by ACLs here? I've never > tried them on (except in a couple of "classroom exercises" years ago), > so I don't know if they're any joy. Would they allow me to force all > files under a directory, for instance, to be something like g+rw and > at the same time be enrolled in a shared group?
ACLs have limited use, but when you need them, you really need them. Which is a good thing, as you are liable to forget you applied them, and getting them to display is a PITA. The only real-world cases I have personally ever seen that do require ACLs are: 1. A specific user does not own a file, and is not a member of the group that owns it. He does need write access to it though, but must not have the full rights of the group. An ACL just for that user solves this. 2. You need two groups to have access to the same thing. Such as, the payroll file is owned by Bill and accessible by group accountants and group payroll- clerks. You could make a "payroll" group and add the clerks and accountants to it, but that gets very out of hand very very quick (number of groups explode). If this is the only case you have like this, an ACL lets you simulate a second "group owner" 3. A shared directory where several people read and write files. Consistent group ownership of the files is easy - chmod g+s /directory/, but it's not so easy to ensure that g=w is always set. You could insist that everyone has a umask 700, but that's insane. You could run chown -R in a script every hour, but that's stupid. An ACL can specify a umask just for that one directory. In every other case I had to be very careful I wasn't walking into "3 year old with a hammer" syndrome. Those three cases, applied with common sense, and kept to a minimum, can make your life easier. Use them too often or too widely, and you will certainly end up with an unmanageable complicated mess. -- alan dot mckinnon at gmail dot com
