Why aren't Posix ACLs installed by default by Linux
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Why aren't Posix ACLs installed by default by Linux
I recently started using Posix ACLs which seem to work very nice for me. The question I have is why haven't they become standard with Linux distros? I haven't seen any distros that come configured for them out of the box and I was wondering if there's some issue with them?
well they are an extra layer of complexity that is seldom required on computers. if you have a desktop then each user has their files or you have a share. if you have a server, access is often on a local basis with very few people doing anything. obviously there is a need for file acl's in some situations, so they are there if needed, but there is not normally a requirement for them on an average system.
You see my thing about it is they enhance, not replace, the current ACLs. It still uses owner, group, others it just offers you the advantage of user or group specific policies if you wish to implement them. If you choose not to use them they don't affect anything. From an end user's perspective the system wouldn't be any different. That's my opinion though.
It's good to know some do but I'm wondering why it hasn't been a standard since it doesn't affect anything if you choose not to use them it just gives better tools if you do. Recompiling a kernel just to get them is a pain.
well there are lots of things that don't affect anything... but they still are another module to load etc... but generally i would think there is a good argument to use them by default... they are still horribly messy and easy to fall into though...
One item is that you need use star instead of tar to make backups. You may need to rewrite alot of scripts. If you are using SELinux, you need to work with its ACL. There is another security module you may be using instead. Might be the same story. What do you need to do if you share the folder on the network? NFS has problems with ACLs and samba has it's own version of ACLs that you may need to work at mapping one to the other.
If you have a home workstation and don't have several users, you don't need access control lists. If you are running a server and don't have any regular users at all you may not need them.
You would use them for a particular purpose, such as allowing students to access each others files who are working on a lab. So how you use them would take some planning and implementing that a default implementation wouldn't fit anyway.
Just my 2 cents worth.
It might be a good idea if a GUI setup program like YaST included an ACL submodule or section under the "Users and Permissions" session to help set them up, and to raise their profile. I may have been wrong that they were installed by default. I just checked and setfacl comes from the acl package, which I may have coincidently had installed ahead of time. However, I didn't have to recompile my kernel, simply install the acl package.
Well at least I know why they aren't used by default. I had heard SELinux has problems with them and they shouldn't be installed together. Backups I hadn't thought of. I have samba installed as well and it was no big deal using them together. NFS I'm not sure of. Since I need it to work with Windows systems I try to have it work with them well. I still believe they could compile it with support for it. If the mount options aren't set it doesn't use them, however it's easy to fix the mount options. The kernel needs a recompile and if you don't feel like recompiling your kernel or aren't allowed to you're SOL. Thank you for putting the time into that response.