[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ACL complexity

From: Bruno Haible
Subject: Re: ACL complexity
Date: Fri, 13 Jan 2023 10:15:11 +0100

Paul Eggert wrote (when talking about libxattr and such):
> No kidding. This stuff is waaaayy too complicated.

More generally, I find the semantics and the syntax of ACLs on most
systems to be more demanding than what the average command-line user can
grok. While for random features of the OS this would just be a nuisance
that can be ignored, for a feature with impact on security this is a
major problem.

What I mean is:

1) The syntax.

# getfacl /tmp/file
getfacl: Removing leading '/' from absolute path names  (<< what is this about?)
# file: tmp/file
# owner: test1
# group: test

A sysadmin may understand this, but an average command-line user won't.

Suggestion: Add a mode to 'ls' (not to getfacl, because average users
know about 'ls' only) that displays the same info with explanations.
It doesn't matter if the output is 25 lines instead of 8 lines, in this

2) The semantics.

What are "effective" permissions
https://tylersguides.com/guides/linux-acl-permissions-tutorial/ ?

Suggestion: Provide a kind of "testing toolbox" to the users, which they
can use to simulate what happens when someone tries to access an existing
or new file, after they have set specific permissions and ACLs.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]