On Wed, Jan 13, 2010 at 10:13 AM, Roger Burton West <ro...@firedrake.org> wrote:
On Wed, Jan 13, 2010 at 10:05:08AM -0500, Chris Devers wrote: >Congratulations, you've discovered ACLs. I suspect that the short answer to this is "I am root, dammit. If I tell you to remove my head with a chainsaw, I expect you to assume I have a good reason and _do_ it. I didn't su - just for fun." But that wouldn't match Apple's expected user profile.
Well, my take there is that the whole *point* of ACLs is to provide an access control framework that can't just be trivially trumped by any old yokel that figures out the root password. As Mr Newton says, having root access now doesn't mean you get access to everything, but that you have the power to give yourself access to anything, if you know how to do so. Not to mention the fact that ACLs provide much more fine-grained control to begin with. To paste from one of the URLs in my original reply: <quote href="http://arstechnica.com/apple/reviews/2005/04/macosx-10-4.ars/8#acls2";> Worse, imagine that you want to grant the ability to delete a particular file to a group of users. In traditional Unix permissions, there is no "delete" permission for a single file. The ability to delete a file is controlled by the "write" permission of the parent directory. But you want to allow just this particular file to be deleted, not all files in the same directory. The Unix permission system is not fine-grained enough to accommodate these needs. Enter access control lists. An ACL is an ordered list of rules that control file permissions. Each rule specifies three things: an actor, an action, and whether that action is allowed or denied. A rule is also known as an ACE, or access control entry. To determine whether or not to allow an action, the rules are considered in order. The first rule that is applicable to the current actor and action determines the decision, and no further rules are considered. If none of the rules apply, then the decision is determined by the traditional Unix file permissions. Note that the Unix permissions are not even considered unless none of the ACEs are applicable. It's possible to have a file that "appears" to be readable to everyone, for example, but that actually allows no one to read it, or just allows a single user to read it, and so on. In effect, the Unix file permissions can be totally ignored if the access control list contains rules that apply to all potential actions and actors. (It's actually a bit more complex in the case where multiple actions are requested simultaneously—opening a file for reading and writing, for example. But the overriding rule is the same: ACEs take precedence over Unix permissions.) ACLs can be modified from the command line using the chmod command (run "man chmod" for details) or the Workgroup Manager application in Mac OS X Server. [...] ACLs have existed in various forms in many other operating systems over the years. In many ways, Tiger is playing catch-up here. Even classic Mac OS has some file sharing features that are beyond the capabilities of traditional Unix file permissions. The addition of ACLs to Tiger was significantly motivated by the mismatch between Unix permissions and the Windows/Active Directory permissions model. With Tiger, Mac OS X can finally serve files to (and exist as a full peer on) a Windows network. </quote> The ACL implementation on OSX is lifted wholesale from the Windows XP design for the same framework. If you find the way they work on both OSX & XP hateful, that's fine. And if you don't like the fact that they trump Unix permissions, that's also fine. But this isn't just something that Apple made up, and it does both solve real problems and create new possibilities that could not be easily managed by the traditional Unix/Posix permissions framework. Most of the modern Unix & Linux variants have adopted the same ACL framework over the past few years, so Apple is hardly out of step on this -- though I, for one, appreciate that the OSX implementation folds the interface for ACLs into familiar existing commands like `ls` & `chmod`, rather than forcing you to learn new `getfacl` & `setfacl` (etc) commands. If you find it the whole thing unbearable, you're welcome to keep running Panther, if you happen to still have any hardware capable of booting it. That or pick the 5+ year old Linux distro of your choice. -- Chris Devers
