At 12:40 AM -0500 11/17/02, William H. Magill wrote:
"Real ACLs" on the other hand are quite extensive -- see Digital's VMS for one set.That's a little obscure. Access Control Lists give you the ability to attach an arbitrary number of permissions to a given file. So you could say that everyone in R&D can read this file, everyone in sales can write it, and joe, if joe is in accounting, can delete it. (In Unix, delete permissions are on the directory, not the file, but that's a separate issue.)
For example one can identify random individuals as authorized to read a file, and a completely different set of individuals to write it. "Real ACLs" have no link to the standard Unix UGO permission scheme except as defaults.
When you try and access a file, it checks who you are (and of course, you may belong to multiple groups) and compares it to the access control list and decides what you're allowed to do.
Standard unix, on the other hand, attaches read/write/execute permissions to a file, and can associate them with one person, one group, and the entire world. Much more limited.
Used properly, ACLs can create a system, that is much more secure, because you can restrict access to certain parts of the system to specific processes that need to use that sub-system. However, with the exception of the OpenBSD folks, hardly any Unix vendors have taken advantage of even the *Unix* file permissions to do this. As a for instance, you shouldn't have to become root to install a printer, or install a piece of email system software. You should only have to become a member of the group which manages those components. That kind of distributed authority makes it much harder for a virus or worm to gain complete access to the system. A worm that subverted the mail system, for instance, would solely have access to the mail system, nothing else.
--
Kee Hinckley - Somewhere.Com, LLC
http://consulting.somewhere.com/
I'm not sure which upsets me more; that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
