Hej hej Patricia,
Yeah, I dont think ACLs were polished before POSIX died. Thus,
there are(where) several standards but linux works. When you write
"production system", I have seen ACLs in HPC 1000+ users, 10+ groups
( I dont do webdev nor banks so I have no idea the issues there ). As
for applications being integrated. ACLs can't be ignored (unless
SUID), but they can be forgotten. This is an issue of proper-form.
poor form: when editing, some app's make a copy and then write files
based on umask, not the previous permissions.
From my chair, I have never run in to issues, that I couldn't
overcome, and I have none in mind that would suggest to not use them,
but that is if you need them...
--Getting back to your question. The real boss is your users, if you
have users that demand certain files are secured/private but have
discrete access to certain users/groups you need acls ( but you know
that already).
That is either you make thousands of groups, one for each
particular situation, or you use acls. I assume you already have a
usage model based on M$, but if not you will want to take the time to
assess the best way to implement them. ACLs can create lots of
maintenance if done wrong at the beginning ( I assume you know that
too :).
nb: If you use sticky bits on dirs the perms and acl will be copied to
the enclosed files. This, as I hinted to previously, _can_ make for a
very sad filesystem (depending on the depth & # of files)
Anyway, I hope this was of some help.
Bless bless
Takk
hro
On Nov 30, 2011, at 12:50 AM, Patricia Campbell wrote:
I know what ACLs are and I have used them in Windows AD and with
OpenLDAP quite extensively. I am not convinced that they are useful
in Linux.
You do not have to use ACLs with SELinux. I have never come across
them being used in production or live systems. I was looking for
examples as my experience with POSIX acls was that they were not
properly integrated. Some utilities were unaware of them and
ignored or overrode them.
On Wed, Nov 30, 2011 at 12:01 AM, Valery Shaevitch
<[email protected]> wrote:
For an easier search ::
http://www.google.ca/search?gcx=c&sourceid=chrome&ie=UTF-8&q=Access
+Level+Control+%2B+SElinux
Val
On Tue, 2011-11-29 at 23:41 -0500, Valery Shaevitch wrote:
> Tricia, hi
> Well, first of all, (I guess you do) you should understand ACL =
Access
> Level Control
>
> If you use SElinux (Security Enhaced Linux), then you you MUST
than you
> must use ACL, first understanding how it works.
> Well, a small example is a Windows platform (2003 and later) where
you
> may create groups or users by their properties (read permissions)
> Well, it is not like ususal Unix*s 777 or 0755 or whatever comes
here
> but it is pretty similar.
> The strange (for me) fact that I've got the idea how it works
> was a job exercise where I should've create a bunch of users
> in M$ server 2008 with different access levels. (that was in
Hitachi)
> Look at the net, search google for ACL or Access Level Control +
SElinux
>
> I've got a lot of help there )))
>
> Wish you luck
>
> Val
>
>
> On Tue, 2011-11-29 at 23:27 -0500, Patricia Campbell wrote:
> > Thanks for the reply. I'm not sure what you mean by "if you
need them
> > they are the only way" can you elaborate?
> >
> > On Tue, Nov 29, 2011 at 9:47 PM, Hroðgard Skjöldung
> > <[email protected]> wrote:
> > Hi,
> > I have used them several times in different
environments.
> > If you need them, they are the only way...
> >
> > Caveat: I suggest anyone using them should be very
familiar
> > with managing complex groups, the use of permissions,
sticky
> > bits etc. --One painful example I heard of recently
was a
> > site containing thousands of ACLs on files that were
already
> > covered by the enclosing directory. The number of ACLs &
> > inodes will be the only real limit to look at..
> >
> > ie: if you have permissions granted by a directly, the
files
> > inside only need to have world access ( for w r or x
what ever
> > you need ) this can save lots of over head
> >
> >
> > Nota bene, compatibility with other ACL is a bit of a
pain, if
> > you are sharing with windows you may look at CIFS instead.
> > NFS was a pain, but I think those bugs are mostly
fixed now.
> >
> >
> > Gluck!
> > Hro
> >
> >
> >
> > On 2011-11-29, at 8:02 PM, Patricia Campbell wrote:
> >
> > > Does anyone out there use them ? Or have you heard of
> > anyone using them, or where they are useful?
> > >
> > > --
> > > ___..___........__.......__
> > > ...|....|__/....|...|......|...|__|
> > > ...|....|.....\...|...|__..|...|....|
> > >
> > > "You must be the change you wish to see in the world."
> > Mohandas K Gandhi
> >
> > > _______________________________________________
> > > mlug mailing list
> > > [email protected]
> > >
> >
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
> >
> > _______________________________________________
> > mlug mailing list
> > [email protected]
> >
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
> >
> >
> >
> >
> > --
> > ___..___........__.......__
> > ...|....|__/....|...|......|...|__|
> > ...|....|.....\...|...|__..|...|....|
> >
> > "You must be the change you wish to see in the world." Mohandas K
> > Gandhi
> > _______________________________________________
> > mlug mailing list
> > [email protected]
> > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
--
___..___........__.......__
...|....|__/....|...|......|...|__|
...|....|.....\...|...|__..|...|....|
"You must be the change you wish to see in the world." Mohandas K
Gandhi
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
_______________________________________________
mlug mailing list
[email protected]
https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
