Why aren't Posix ACLs installed by default by Linux
 

I recently started using Posix ACLs which seem to work very nice for me. The question I have is why haven't they become standard with Linux distros? I haven't seen any distros that come configured for them out of the box and I was wondering if there's some issue with them?

well they are an extra layer of complexity that is seldom required on computers. if you have a desktop then each user has their files or you have a share. if you have a server, access is often on a local basis with very few people doing anything. obviously there is a need for file acl's in some situations, so they are there if needed, but there is not normally a requirement for them on an average system.

Reply
 

You see my thing about it is they enhance, not replace, the current ACLs. It still uses owner, group, others it just offers you the advantage of user or group specific policies if you wish to implement them. If you choose not to use them they don't affect anything. From an end user's perspective the system wouldn't be any different. That's my opinion though.

If you use a filesystem that supports them, I believe they are supported by default in OpenSuSE 10.0. I tested using getfacl and setfacl when answering a post on this site.

Reply
 

It's good to know some do but I'm wondering why it hasn't been a standard since it doesn't affect anything if you choose not to use them it just gives better tools if you do. Recompiling a kernel just to get them is a pain.

well there are lots of things that don't affect anything... but they still are another module to load etc... but generally i would think there is a good argument to use them by default... they are still horribly messy and easy to fall into though...

Reply
 

Not sure what you mean by horribly messy and easy to fall into. There isn't any problems with them I should be aware of is there?

One item is that you need use star instead of tar to make backups. You may need to rewrite alot of scripts. If you are using SELinux, you need to work with its ACL. There is another security module you may be using instead. Might be the same story. What do you need to do if you share the folder on the network? NFS has problems with ACLs and samba has it's own version of ACLs that you may need to work at mapping one to the other.

If you have a home workstation and don't have several users, you don't need access control lists. If you are running a server and don't have any regular users at all you may not need them.

You would use them for a particular purpose, such as allowing students to access each others files who are working on a lab. So how you use them would take some planning and implementing that a default implementation wouldn't fit anyway.

Just my 2 cents worth.

It might be a good idea if a GUI setup program like YaST included an ACL submodule or section under the "Users and Permissions" session to help set them up, and to raise their profile. I may have been wrong that they were installed by default. I just checked and setfacl comes from the acl package, which I may have coincidently had installed ahead of time. However, I didn't have to recompile my kernel, simply install the acl package.

Reply
 

Well at least I know why they aren't used by default. I had heard SELinux has problems with them and they shouldn't be installed together. Backups I hadn't thought of. I have samba installed as well and it was no big deal using them together. NFS I'm not sure of. Since I need it to work with Windows systems I try to have it work with them well. I still believe they could compile it with support for it. If the mount options aren't set it doesn't use them, however it's easy to fix the mount options. The kernel needs a recompile and if you don't feel like recompiling your kernel or aren't allowed to you're SOL. Thank you for putting the time into that response.