On 09/06/18 18:09, Rich Freeman wrote:
I feel like this is something that Windows natively gets "better" than POSIX. They have a concept of UIDs being specific to a machine or authentication server (or domain as they call it), and this concept is enforced at the host level. That said, I'm sure this approach has its downsides as well, in particular it is certainly more complex and at work we practically forbid any kind of windows ACLs at anything other than the top mount level because it is so hard to control.
Windows is better than POSIX?! That doesn't say much for POSIX then, seeing as I feel Windows ACLs are overly complex and difficult!
Okay, ACLs assume a directory structure, which have serious problems with Unix hard links, so I can understand the two features not mapping on to each other very well. In particular, if an object does not have a specific acl, it's supposed to inherit from its parent, but if you have hard links which parent does it inherit from?
The system I used which had ACLs, I *think* when you logged in to any machine, you could tell it to authenticate against a different machine so it must have had some machine/identity pair.
Then ACLs were simplicity itself as well, because they were user,group,other. If a user was named, that was what they got. If they weren't named, they got the sum of all the groups they belonged to. And if none of their groups were named, they just got the other permissions.
So if you wanted someone to get LESS than the sum of their groups, you just gave them personally what you wanted, and that was that.
Cheers, Wol
