[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: About the login shell

Lionel Elie Mamane wrote:

On Tue, Aug 20, 2002 at 11:28:07AM -0500, Tom Hart wrote:

ACL's (Access Control Lists, for those who haven't heard the term
before), allow the administrator to have more fine-grained control
over access to the system.

However, the only system I'm familiar with that uses them is Windows

Maybe I should describe what I know of the ACL's implemented on top of
Unix then: I had some experience with a Solaris system, and I heard
that the (since withdrawn) POSIX ACL draft was very close to this.

It is much more simple than the NT ACL's:

There are 6 types of entries:

- (user | group) owner permissions
- other users permissions
- one specific (user|group) permissions
- the mask

Directories can additionally contain so-called "default values", that
is the ACL file created in this directory will contain initially. It
is unclear to me how this interacts with the umask (maybe the mask is
set to the umask).

An user has permission to do something if ANY entry of this file's ACL
gives him permission (modulo the mask, see below). So permissions are
cumulative: when you give a group permissions, you give it to all its
users, no exception. you can't say "all the 'staff' group has write
access, but not johndoe, even if he is member of the 'staff'
group". And only this file's ACL matters. There is no concept of

The mask is the maximal authorisations anyone (except the user owner)
can have. So the effective authorisations applying to an user is:

(bitwise or of all ACL entries that apply to him) bitwise and (the mask)

Does this "version" of ACL's calm your fears of ACL's being

Ah, yes, this seems more intuitive, and more Unixy. That would be a Good Thing. I think the non-intuitiveness of NT ACLs comes mainly from their order-dependent nature, coupled with ACE inheritance. (And I think they even changed the rules for which ACEs take precedence between NT4 and Win2k.)

I STFW'd for Posix and Solaris ACLs, and there is some very servicable information out there:


In particular, the GNU cfengine document describes Solaris, DFS, and NT ACL approaches quite succinctly, and it is easy to see that NT's approach is the most complicated of the bunch.

The one thing about NT's approach that I think is good is the presence of Deny ACEs. If ACEs are non-inheritable, I don't think this would add an unreasonable amount of complexity to the system. And I suspect that there are many situations in which it would be more convenient to add a Deny ACE to a file than to have to make a new group that excludes the person to whom you'd like to deny access.

-- Tom Hart

Reply to: