From owner-freebsd-chat Wed Oct 22 18:06:57 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA15782 for chat-outgoing; Wed, 22 Oct 1997 18:06:57 -0700 (PDT) (envelope-from owner-freebsd-chat) Received: from xmission.xmission.com (softweyr@xmission.xmission.com [198.60.22.2]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA15772 for ; Wed, 22 Oct 1997 18:06:54 -0700 (PDT) (envelope-from softweyr@xmission.xmission.com) Received: (from softweyr@localhost) by xmission.xmission.com (8.8.5/8.7.5) id TAA13328; Wed, 22 Oct 1997 19:05:40 -0600 (MDT) From: Wes Peters - Softweyr LLC Message-Id: <199710230105.TAA13328@xmission.xmission.com> Subject: Re: C2 Trusted FreeBSD? To: skafte@worldgate.com (Greg Skafte) Date: Wed, 22 Oct 1997 19:05:39 -0600 (MDT) Cc: chat@freebsd.org In-Reply-To: <19971021205331.53826@worldgate.com> from "Greg Skafte" at Oct 21, 97 08:53:31 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > back in a former life when I worked for a company that had > an HP, I setup extended ACLs all the time, it was very handy > for controlling access to things like web directories. (ie > yes everyone was part of group http, but then with the extended > ACL I could force things to g=rwx, but still control who could > read or write to a specific tree) ACL take a some extra time > and effort but in the long term I found them wonderful... Yes, but how do you back them up, or, worse yet, restore them? How do you copy your HTML directory tree to another drive you're bringing on-line and preserve all the ACL settings? As noted before, *none* of the system tools support the ACLs. If you created, for instance, a version of TAR that backed up the ACL information, it would be incompatible with every other version of tar in the world.* Tools are a part of the reason ACLs aren't a standard part of UNIX. They're not that hard to implement, esepecially not if you do it the way HP did, which simply extends the inode information by a fixed amount. *The one exception was a backup program called DBR, which is no longer sold. On HP-UX and AIX, it could save the ACL information using cpio -c format and maintain compatibility with standard cpio by using cute tricks in the cpio format. It would use a 1024 byte buffer for the filename, and then place the null-terminated filename in the buffer, followed by the ACL information. Cpio would happily extract the full 1024 bytes of filename info and then open the null-terminated filename, ignoring the ACL data. In order to restore the ACL information, you had to restore with DBR, but *any* cpio could get the file data off the tape. Cute, eh? -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC http://www.xmission.com/~softweyr softweyr@xmission.com