solarflow99 wrote:
I was wondering if anyone uses ACLs? I can't understand why they are necessary since regular file permissions seem to do the same thing, plus there are other alternatives such as selinux. Is it safe to say that ACL's are not very popular?
ACLs are (intentionally) more complicated than simple file system permissions. Most of the time, simple file system permissions are sufficient, so there's no point in messing with ACLs. In general, ACLs need site-specific customizations to be useful, so they aren't used much by default package configurations, but when you have a large, heavily-customized network with many users, there's simply no efficient substitute for ACLs.
SELinux really isn't intended to be a substitute for ACLs. SELinux has the notion of a context, which can allow one application to access a file while denying access to another application running as the same user and group. This is great for sandboxing applications that have a high exposure to malicious interference, without locking down the box so tightly that your users can't manage their own files.
Another question is why the chattr command even exists, since only 3 of its options even work with newer filesystems now, what use is setting the (i) attribute compared to chmod 400?
There's no question chattr is a bit clunky, but it was implemented because it did some very useful things for certain niche use cases, and some of its features survive because there aren't any good alternatives. The 'i' attribute is basic a big "manual override" flag, that prevents well-meaning scripts and applications from messing with something you really, truly do not want to be messed with, even if those scripts and applications would normally mess with it in spite of 400 permissions. It's very rare that you ever need to do this, but when you do, it's very nice to have it.
-- Chris _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
