pavement

ACL

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(minor updates)
m (Reverted edits by DavidYoung (talk) to last revision by 173.88.199.104)
 
Line 29: Line 29:
 
[[http://www.onlamp.com/pub/a/bsd/2005/09/22/FreeBSD_Basics.html ONLamp article on ACLs]]
 
[[http://www.onlamp.com/pub/a/bsd/2005/09/22/FreeBSD_Basics.html ONLamp article on ACLs]]
 
[[Category:FreeBSD Terminology]] [[Category:Windows Equivalents]][[Category:Securing FreeBSD]]
 
[[Category:FreeBSD Terminology]] [[Category:Windows Equivalents]][[Category:Securing FreeBSD]]
 
== What Ive Learned About Learning ==
 
 
We learn more by looking for the answer to a question and not finding it than we do from learning the answer itself. ~Lloyd AlexanderI am a teacher and an avid learner, and Im passionate about both.Im a teacher because I help Eva homeschool our kids OK, she does most of the work, but I do help, mostly with math but with everything else too.
 
 
[[http://goodvillenews.com/What-Ive-Learned-About-Learning-I45BZI.html What Ive Learned About Learning]]
 
 
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 
 
== A Young Girl with a Big Heart and an Old Man with a Lot of Flowers ==
 
 
When I was very young (about ten or eleven years old), I heard that our neighbor, a retired physician, had lost his wife after a long illness. He was such a dear soul, and he had the most spectacular gardens in his backyard. The whole neighborhood could see his glorious flowers from the street. The backyard was a profusion of daisies and roses, snapdragons and lilies, hyacinths and columbines. I used to think there wasnt a flower in the world that he didnt grow.
 
 
[[http://goodvillenews.com/A-Young-Girl-with-a-Big-Heart-and-an-Old-Man-with-a-Lot-of-F-lg9.html A Young Girl with a Big Heart and an Old Man with a Lot of Flowers]]
 
 
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 
 
== Pilgrims for Peace: One Couples Incredible Journey ==
 
 
"In the life of each and every one of us, there is a defining moment, one after which we know that our lives will never be the same. For me, 9/11 was that moment." Mony Dojeijis defining moment eventually led her to an ancient pilgrimage route in Spain, where a chance encounter with an artist would change both of their lives forever. Together they would end up walking a pilgrimage for peace in Jerusalem -- and in the process would uncover precious insights about themselves, each other and the goodness of humanity.
 
 
[[http://goodvillenews.com/Pilgrims-for-Peace-One-Couples-Incredible-Journey-FMm6R6.html Pilgrims for Peace: One Couples Incredible Journey]]
 
 
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 
 
== Not a Fairytale: Americas First Public Food Forest ==
 
 
Hungry? Just head over to the park. Seattles new food forest aims to be an edible wilderness. Seattles vision of an urban food oasis is going forward. A seven-acre plot of land in the citys Beacon Hill neighborhood will be planted with hundreds of different kinds of edibles
 
 
[[http://goodvillenews.com/Not-a-Fairytale-Americas-First-Public-Food-Forest-N18Amw.html Not a Fairytale: Americas First Public Food Forest]]
 
 
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 
 
== The Second Glance ==
 
 
Have you ever cringed at the sight of a human being who is physically disfigured? David Roche, who was born with a facial disfigurement, spent years trying to hide from himself. At middle age, he discovered his inner beauty, his spirit and his strength, and he has dedicated his life to helping all people find the inner beauty within themselves and in others.
 
 
[[http://goodvillenews.com/The-Second-Glance-FDzaku.html The Second Glance]]
 
 
[[http://goodvillenews.com/wk.html GoodvilleNews.com - good, positive news, inspirational stories, articles]]
 

Latest revision as of 17:30, 25 August 2012

ACL - acronymic for Access Control List. Using the ACL model, any number of users and groups may have any number of different and/or overlapping permissions on a single file or directory. An NT style ACL, if you could view one directly and it was written in English, might look something like this:

Permissions for FILE:

owned by: [user STEVE]

user JOE: [read]
group GUYS: [read], [write]
group MEANIES: [disallow delete]
everyone: [no permissions]
Inherit parent permissions? [yes]

Interpreting this ACL properly can be tricky. What are JOE's effective permissions on this file? The short answer is, we have no idea! Why not? Well, first of all, we need to know whether JOE is a member of GUYS and/or MEANIES. Assuming that he is a member of GUYS and also of MEANIES, we now see that JOE has read and write permissions, but no delete permissions... or so we think. The catch is, this file has the "inherent parent permissions" flag set, so JOE might actually have anything from full permissions (except delete) to no permissions at all on this file, depending on what the parent - and possibly its parent, and so on ad infinitum - allows or specifically disallows!

The effective privilege level that JOE has on this file will actually be determined by first adding together all the permissive information from all the ACLs of FILE and its parent directories, then subtracting all the restrictive information - so we know JOE won't be able to delete FILE, since we saw him specifically disallowed from doing so in FILE's own ACL, but we don't really know whether or not he is or is not allowed to do anything else to it without examining every ACL that could potentially bear.

As an example, If FILE was actually C:\INETPUB\Sites\Realtors\JeffreyStokes.com\Images\Houses\SplitLevelRanch\Downtown\001.jpg on a Windows system, you would need to parse a total of ten separate ACLs (from the root of the C: drive all the way to the Downtown folder as well as 001.jpg itself) before you actually knew who could do what to 001.jpg.

Unixlike systems, including FreeBSD, generally use a more simplistic numeric permissions model, in which every file is owned by one User and one Group, and only three permission levels can be set: Owner, Group, and World. So let's examine FILE as it might be on a FreeBSD system using standard numeric permissions:

-rwxr-x---  1 STEVE            GUYS                 431 Mar 17  2003 FILE

This is the actual output of the ls command, with the -l flag. It tells us, among other things, that FILE is owned by the user STEVE and the group GUYS, and the permissions are rwx, rw-, and --- - meaning that STEVE can read, write, or execute FILE, the members of GUYS can read or execute FILE but not write to (or delete) it, and anyone else can't do anything at all with FILE. These three sets of permissions are known as "Owner/Group/World" permissions, and nothing can be inherited from anything else - what you see is what you get.

So which is better, ACLs or numeric permissions? It depends on who you ask, and what your needs are. Numeric permissions tend to lead to faster filesystems, as the overhead of checking ACLs, particularly ACLs with inheritable permissions, can sometimes add surprisingly dramatic amounts of overhead to simple file and directory manipulations. And even the apparent strength of ACLs - their obviously greater flexibility and granularity - can be their downfall; it is not at all uncommon for administrators of ACL'ed systems to be completely mistaken about the effective permissions on any given file because they forgot what it is inheriting from its parents, or didn't notice an allow or a deny explicitly set for one of several different groups which all have various conflicting privileges set on the same file.

As of the writing of this article, all versions of FreeBSD use numeric permissions models by default; however all versions of FreeBSD 5.x are capable of enabling ACLs using the tunefs command if so desired. As always, think carefully before enabling a new and far-reaching addition to your system - there are disadvantages and advantages to both models, and which model will be most appropriate is different for every system.

[ONLamp article on ACLs]

Personal tools