On 2011-11-30, at 4:45 PM, Patricia Campbell wrote: > afaict POSIX is still an active standard ieee why do you say POSIX died ?
hej, Out of complete ignorance. From what I remember posix died, but I am referring to a working committing and not a standard... I just did some googling and it seems that I completely wrong. -- I am not sure what I was thinking. Sorry for the confusion. Takk Hro > > 2011/11/30 Hroðgar Skjöldung <[email protected]> > Hej hej Patricia, > Yeah, I dont think ACLs were polished before POSIX died. Thus, there > are(where) several standards but linux works. When you write "production > system", I have seen ACLs in HPC 1000+ users, 10+ groups ( I dont do webdev > nor banks so I have no idea the issues there ). As for applications being > integrated. ACLs can't be ignored (unless SUID), but they can be forgotten. > This is an issue of proper-form. poor form: when editing, some app's make a > copy and then write files based on umask, not the previous permissions. > > From my chair, I have never run in to issues, that I couldn't overcome, and > I have none in mind that would suggest to not use them, but that is if you > need them... > > --Getting back to your question. The real boss is your users, if you have > users that demand certain files are secured/private but have discrete access > to certain users/groups you need acls ( but you know that already). > That is either you make thousands of groups, one for each particular > situation, or you use acls. I assume you already have a usage model based on > M$, but if not you will want to take the time to assess the best way to > implement them. ACLs can create lots of maintenance if done wrong at the > beginning ( I assume you know that too :). > > nb: If you use sticky bits on dirs the perms and acl will be copied to the > enclosed files. This, as I hinted to previously, _can_ make for a very sad > filesystem (depending on the depth & # of files) > > > Anyway, I hope this was of some help. > Bless bless > Takk > hro > > > > > > On Nov 30, 2011, at 12:50 AM, Patricia Campbell wrote: > > I know what ACLs are and I have used them in Windows AD and with OpenLDAP > quite extensively. I am not convinced that they are useful in Linux. > You do not have to use ACLs with SELinux. I have never come across them > being used in production or live systems. I was looking for examples as my > experience with POSIX acls was that they were not properly integrated. Some > utilities were unaware of them and ignored or overrode them. > > On Wed, Nov 30, 2011 at 12:01 AM, Valery Shaevitch <[email protected]> wrote: > For an easier search :: > http://www.google.ca/search?gcx=c&sourceid=chrome&ie=UTF-8&q=Access > +Level+Control+%2B+SElinux > > Val > > On Tue, 2011-11-29 at 23:41 -0500, Valery Shaevitch wrote: > > Tricia, hi > > Well, first of all, (I guess you do) you should understand ACL = Access > > Level Control > > > > If you use SElinux (Security Enhaced Linux), then you you MUST than you > > must use ACL, first understanding how it works. > > Well, a small example is a Windows platform (2003 and later) where you > > may create groups or users by their properties (read permissions) > > Well, it is not like ususal Unix*s 777 or 0755 or whatever comes here > > but it is pretty similar. > > The strange (for me) fact that I've got the idea how it works > > was a job exercise where I should've create a bunch of users > > in M$ server 2008 with different access levels. (that was in Hitachi) > > Look at the net, search google for ACL or Access Level Control + SElinux > > > > I've got a lot of help there ))) > > > > Wish you luck > > > > Val > > > > > > On Tue, 2011-11-29 at 23:27 -0500, Patricia Campbell wrote: > > > Thanks for the reply. I'm not sure what you mean by "if you need them > > > they are the only way" can you elaborate? > > > > > > On Tue, Nov 29, 2011 at 9:47 PM, Hroðgard Skjöldung > > > <[email protected]> wrote: > > > Hi, > > > I have used them several times in different environments. > > > If you need them, they are the only way... > > > > > > Caveat: I suggest anyone using them should be very familiar > > > with managing complex groups, the use of permissions, sticky > > > bits etc. --One painful example I heard of recently was a > > > site containing thousands of ACLs on files that were already > > > covered by the enclosing directory. The number of ACLs & > > > inodes will be the only real limit to look at.. > > > > > > ie: if you have permissions granted by a directly, the files > > > inside only need to have world access ( for w r or x what ever > > > you need ) this can save lots of over head > > > > > > > > > Nota bene, compatibility with other ACL is a bit of a pain, if > > > you are sharing with windows you may look at CIFS instead. > > > NFS was a pain, but I think those bugs are mostly fixed now. > > > > > > > > > Gluck! > > > Hro > > > > > > > > > > > > On 2011-11-29, at 8:02 PM, Patricia Campbell wrote: > > > > > > > Does anyone out there use them ? Or have you heard of > > > anyone using them, or where they are useful? > > > > > > > > -- > > > > ___..___........__.......__ > > > > ...|....|__/....|...|......|...|__| > > > > ...|....|.....\...|...|__..|...|....| > > > > > > > > "You must be the change you wish to see in the world." > > > Mohandas K Gandhi > > > > > > > _______________________________________________ > > > > mlug mailing list > > > > [email protected] > > > > > > > > > > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > > > > > _______________________________________________ > > > mlug mailing list > > > [email protected] > > > > > > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > > > > > > > > > > > > > > -- > > > ___..___........__.......__ > > > ...|....|__/....|...|......|...|__| > > > ...|....|.....\...|...|__..|...|....| > > > > > > "You must be the change you wish to see in the world." Mohandas K > > > Gandhi > > > _______________________________________________ > > > mlug mailing list > > > [email protected] > > > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > > > -- > ___..___........__.......__ > ...|....|__/....|...|......|...|__| > ...|....|.....\...|...|__..|...|....| > > "You must be the change you wish to see in the world." Mohandas K Gandhi > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca > > > > -- > ___..___........__.......__ > ...|....|__/....|...|......|...|__| > ...|....|.....\...|...|__..|...|....| > > "You must be the change you wish to see in the world." Mohandas K Gandhi > _______________________________________________ > mlug mailing list > [email protected] > https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
