On Jan 13, 2010, at 8:09 AM, Chris Devers wrote:
On Wed, Jan 13, 2010 at 10:13 AM, Roger Burton West
<ro...@firedrake.org> wrote:
On Wed, Jan 13, 2010 at 10:05:08AM -0500, Chris Devers wrote:
Congratulations, you've discovered ACLs.
wintermute:~ jjuran$ /usr/sbin/fsaclctl -p /
Access control lists are not supported or currently disabled on /.
The inaccuracy of your statements tends to mitigate their patronizing
effect.
I suspect that the short answer to this is "I am root, dammit. If
I tell
you to remove my head with a chainsaw, I expect you to assume I
have a
good reason and _do_ it. I didn't su - just for fun."
Well, chown is hardly decapitation. It's even more or less reversible.
But that wouldn't match Apple's expected user profile.
I think Stockholm Syndrome applies here.
Well, my take there is that the whole *point* of ACLs is to provide an
access control framework that can't just be trivially trumped by any
old yokel that figures out the root password. As Mr Newton says,
having root access now doesn't mean you get access to everything, but
that you have the power to give yourself access to anything, if you
know how to do so.
I call BS. ACLs are not capabilities, and they're not meant to limit
privileged users.
To paste from one of the URLs in my original reply:
<quote href="http://arstechnica.com/apple/reviews/2005/04/
macosx-10-4.ars/8#acls2">
Worse, imagine that you want to grant the ability to delete a
particular file to a group of users. In traditional Unix permissions,
there is no "delete" permission for a single file. The ability to
delete a file is controlled by the "write" permission of the parent
directory. But you want to allow just this particular file to be
deleted, not all files in the same directory. The Unix permission
system is not fine-grained enough to accommodate these needs.
[...]
ACLs have existed in various forms in many other operating systems
over the years. In many ways, Tiger is playing catch-up here. Even
classic Mac OS has some file sharing features that are beyond the
capabilities of traditional Unix file permissions.
Yeah, like the advisory Copy Protect bit that only the Finder honors.
The addition of ACLs to Tiger was significantly motivated by the
mismatch between Unix permissions and the Windows/Active Directory
permissions model. With Tiger, Mac OS X can finally serve files to
(and exist as a full peer on) a Windows network.
This part is key to understanding the motivation for including ACL
support in OS X. The multi-user argument is a red herring for client
machines -- how many other users even have accounts on your box, let
alone need to be granted fine-grained privileges?
</quote>
If you find it the whole thing unbearable, you're welcome to keep
running Panther, if you happen to still have any hardware capable of
booting it. That or pick the 5+ year old Linux distro of your choice.
I haven't run Panther since I gave my iBook a fresh install in 2006,
after it decided that it should hang itself whenever I attempted to
power on the AirPort card (which worked fine in OS 9). Now it's dual-
booting OS 9 and Debian.
However, I do have an install of Jaguar on my G4 iMac, but really
that was only because the OS 9 installer is an OS X app, and I hardly
ever run it. My TiBook is running Tiger (though ready to reboot into
OS 9 at a moment's notice), and the Cube and the (G4-upgraded) B&W
tower are also running OS 9. I think that about covers my NewWorld
Mac collection.
Aren't you glad you mentioned Panther?
Josh
