On 2010-01-13, at 10:09, Chris Devers wrote:
Well, my take there is that the whole *point* of ACLs is to provide an access control framework that can't just be trivially trumped by any old yokel that figures out the root password.
Since when? An access control list is simply a way of defining permissions. In fact, the UNIX user/group/other mechanism *is* an ACL, it's simply a very very restricted one. There's nothing to ACLs that say they should or should not be ignored by root, Administrator, or SYSOP.
People mix up ACLs with all kinds of things. It seems to me you're mixing up ACLs with the usual misreading of the Orange Book that led to such abominations as SCO's "C2" security hack. Adding restrictions to root and making ACLs more "powerful" than regular u/g/o protections is a symptom of this kind of confusion.
ACLs are NOT REQUIRED by Orange Book until you get into mandatory access controls. ACLs do NOT need to trump UNIX permissions (if nothing else, UNIX permissions could simply be implemented as an ACL). ACLs do NOT need to trump root (in orange book terms, root is part of the TCB, under a MAC regime no user would be able to be root).
I have been watching people fuck up ACLs for over 20 years now. It's an old, dry hate.
