Date: Thu, 6 Dec 2001 17:15:39 +0100 From: Cliff Sarginson <cliff@raggedclown.net> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: ACLs Was: Modifying only certain bits with chmod Message-ID: <20011206161539.GB32576@raggedclown.net> In-Reply-To: <Pine.GSO.4.31.0112061358420.323-100000@mail.ilrt.bris.ac.uk> References: <20011206132237.GB9605@raggedclown.net> <Pine.GSO.4.31.0112061358420.323-100000@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Dec 06, 2001 at 02:02:35PM +0000, Jan Grant wrote: > On Thu, 6 Dec 2001, Cliff Sarginson wrote: > > > I was reading about the impending arrival of ACL's in FreeBSD 5 > > yesterday...talk about confusing the children. And it seems, if I > > am correct, that it has no impact on the execution of programs, which > > is where it would be *really* useful in de-terrorising the use of > > root..but that is another topic all together. > > Or perhaps I am missing the point. > > ACLs _are_ pretty useful; they're only (in the POSIX world) file-system > things, indeed - TrustedBSD has other goodies to offer too. But their > usefulness really depends on what you want to use the system for. More > flexible file-system privs for a file-server is the obvious use; it'll > be nice * when that bit of samba works out of the box. > > Someone had a query recently regarding suExec and apache CGI serving > that sounded like an ideal use for extended ACLs. > > jan > > * ie, convenient in the extreme > Oh I don't doubt their usefulness. I was rather more referring to execute permissions on certain programs being granted via an ACL mechanism. This would assist in creating a certain level of administrative user, not as powerful as root, but more powerful than an ordinary user. The lack of this is what NT lovers waggle in your face all the time. Although the NT model is hardly one any sane person would want to emulate. This would be, just thinking of the top of my head, a bit like "grant" used in database systems like Oracle. Some users would be granted the ability to do certain actions. I was once involved in an exercise (more than an exercise, a reality) of attempting to create a "system" user level. This was for use by operators to try and restrict the need for root access for mundane system administration activities. This involved a lot of fiddling with permissions, groups etc. It more or less worked, but this was in the days of the 6th Edition, when everything was so much simpler. -- Regards Cliff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011206161539.GB32576>