afaict POSIX is still an active standard ieee why do you say POSIX died ? 2011/11/30 Hroðgar Skjöldung <[email protected]>
> Hej hej Patricia, > Yeah, I dont think ACLs were polished before POSIX died. Thus, there > are(where) several standards but linux works. When you write "production > system", I have seen ACLs in HPC 1000+ users, 10+ groups ( I dont do webdev > nor banks so I have no idea the issues there ). As for applications being > integrated. ACLs can't be ignored (unless SUID), but they can be > forgotten. This is an issue of proper-form. poor form: when editing, some > app's make a copy and then write files based on umask, not the previous > permissions. > > From my chair, I have never run in to issues, that I couldn't overcome, > and I have none in mind that would suggest to not use them, but that is if > you need them... > > --Getting back to your question. The real boss is your users, if you have > users that demand certain files are secured/private but have discrete > access to certain users/groups you need acls ( but you know that already). > That is either you make thousands of groups, one for each particular > situation, or you use acls. I assume you already have a usage model based > on M$, but if not you will want to take the time to assess the best way to > implement them. ACLs can create lots of maintenance if done wrong at the > beginning ( I assume you know that too :). > > nb: If you use sticky bits on dirs the perms and acl will be copied to the > enclosed files. This, as I hinted to previously, _can_ make for a very sad > filesystem (depending on the depth & # of files) > > > Anyway, I hope this was of some help. > Bless bless > Takk > hro > > > > > > On Nov 30, 2011, at 12:50 AM, Patricia Campbell wrote: > > I know what ACLs are and I have used them in Windows AD and with OpenLDAP >> quite extensively. I am not convinced that they are useful in Linux. >> You do not have to use ACLs with SELinux. I have never come across them >> being used in production or live systems. I was looking for examples as my >> experience with POSIX acls was that they were not properly integrated. >> Some utilities were unaware of them and ignored or overrode them. >> >> On Wed, Nov 30, 2011 at 12:01 AM, Valery Shaevitch <[email protected]> >> wrote: >> For an easier search :: >> http://www.google.ca/search?**gcx=c&sourceid=chrome&ie=UTF-**8&q=Access<http://www.google.ca/search?gcx=c&sourceid=chrome&ie=UTF-8&q=Access> >> +Level+Control+%2B+SElinux >> >> Val >> >> On Tue, 2011-11-29 at 23:41 -0500, Valery Shaevitch wrote: >> > Tricia, hi >> > Well, first of all, (I guess you do) you should understand ACL = Access >> > Level Control >> > >> > If you use SElinux (Security Enhaced Linux), then you you MUST than you >> > must use ACL, first understanding how it works. >> > Well, a small example is a Windows platform (2003 and later) where you >> > may create groups or users by their properties (read permissions) >> > Well, it is not like ususal Unix*s 777 or 0755 or whatever comes here >> > but it is pretty similar. >> > The strange (for me) fact that I've got the idea how it works >> > was a job exercise where I should've create a bunch of users >> > in M$ server 2008 with different access levels. (that was in Hitachi) >> > Look at the net, search google for ACL or Access Level Control + SElinux >> > >> > I've got a lot of help there ))) >> > >> > Wish you luck >> > >> > Val >> > >> > >> > On Tue, 2011-11-29 at 23:27 -0500, Patricia Campbell wrote: >> > > Thanks for the reply. I'm not sure what you mean by "if you need them >> > > they are the only way" can you elaborate? >> > > >> > > On Tue, Nov 29, 2011 at 9:47 PM, Hroðgard Skjöldung >> > > <[email protected]> wrote: >> > > Hi, >> > > I have used them several times in different environments. >> > > If you need them, they are the only way... >> > > >> > > Caveat: I suggest anyone using them should be very familiar >> > > with managing complex groups, the use of permissions, sticky >> > > bits etc. --One painful example I heard of recently was a >> > > site containing thousands of ACLs on files that were already >> > > covered by the enclosing directory. The number of ACLs & >> > > inodes will be the only real limit to look at.. >> > > >> > > ie: if you have permissions granted by a directly, the files >> > > inside only need to have world access ( for w r or x what ever >> > > you need ) this can save lots of over head >> > > >> > > >> > > Nota bene, compatibility with other ACL is a bit of a pain, if >> > > you are sharing with windows you may look at CIFS instead. >> > > NFS was a pain, but I think those bugs are mostly fixed now. >> > > >> > > >> > > Gluck! >> > > Hro >> > > >> > > >> > > >> > > On 2011-11-29, at 8:02 PM, Patricia Campbell wrote: >> > > >> > > > Does anyone out there use them ? Or have you heard of >> > > anyone using them, or where they are useful? >> > > > >> > > > -- >> > > > ___..___........__.......__ >> > > > ...|....|__/....|...|......|..**.|__| >> > > > ...|....|.....\...|...|__..|..**.|....| >> > > > >> > > > "You must be the change you wish to see in the world." >> > > Mohandas K Gandhi >> > > >> > > > ______________________________**_________________ >> > > > mlug mailing list >> > > > [email protected] >> > > > >> > > https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** >> listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> >> > > >> > > ______________________________**_________________ >> > > mlug mailing list >> > > [email protected] >> > > https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** >> listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> >> > > >> > > >> > > >> > > >> > > -- >> > > ___..___........__.......__ >> > > ...|....|__/....|...|......|..**.|__| >> > > ...|....|.....\...|...|__..|..**.|....| >> > > >> > > "You must be the change you wish to see in the world." Mohandas K >> > > Gandhi >> > > ______________________________**_________________ >> > > mlug mailing list >> > > [email protected] >> > > https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** >> listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> >> >> ______________________________**_________________ >> mlug mailing list >> [email protected] >> https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** >> listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> >> >> >> >> -- >> ___..___........__.......__ >> ...|....|__/....|...|......|..**.|__| >> ...|....|.....\...|...|__..|..**.|....| >> >> "You must be the change you wish to see in the world." Mohandas K Gandhi >> ______________________________**_________________ >> mlug mailing list >> [email protected] >> https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** >> listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> >> > > ______________________________**_________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/**cgi-bin/mailman/listinfo/mlug-** > listserv.mlug.ca<https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca> > -- ___..___........__.......__ ...|....|__/....|...|......|...|__| ...|....|.....\...|...|__..|...|....| "You must be the change you wish to see in the world." Mohandas K Gandhi
_______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
