LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-30-2006, 11:13 AM   #1
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Rep: Reputation: 30
Why aren't Posix ACLs installed by default by Linux


I recently started using Posix ACLs which seem to work very nice for me. The question I have is why haven't they become standard with Linux distros? I haven't seen any distros that come configured for them out of the box and I was wondering if there's some issue with them?
 
Old 05-01-2006, 04:05 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well they are an extra layer of complexity that is seldom required on computers. if you have a desktop then each user has their files or you have a share. if you have a server, access is often on a local basis with very few people doing anything. obviously there is a need for file acl's in some situations, so they are there if needed, but there is not normally a requirement for them on an average system.
 
Old 05-01-2006, 06:50 AM   #3
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Reply

You see my thing about it is they enhance, not replace, the current ACLs. It still uses owner, group, others it just offers you the advantage of user or group specific policies if you wish to implement them. If you choose not to use them they don't affect anything. From an end user's perspective the system wouldn't be any different. That's my opinion though.
 
Old 05-04-2006, 09:07 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If you use a filesystem that supports them, I believe they are supported by default in OpenSuSE 10.0. I tested using getfacl and setfacl when answering a post on this site.

Last edited by jschiwal; 05-04-2006 at 09:11 PM.
 
Old 05-05-2006, 06:02 AM   #5
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Reply

It's good to know some do but I'm wondering why it hasn't been a standard since it doesn't affect anything if you choose not to use them it just gives better tools if you do. Recompiling a kernel just to get them is a pain.
 
Old 05-05-2006, 06:07 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,386

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well there are lots of things that don't affect anything... but they still are another module to load etc... but generally i would think there is a good argument to use them by default... they are still horribly messy and easy to fall into though...
 
Old 05-05-2006, 08:30 AM   #7
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Reply

Not sure what you mean by horribly messy and easy to fall into. There isn't any problems with them I should be aware of is there?
 
Old 05-05-2006, 11:59 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
One item is that you need use star instead of tar to make backups. You may need to rewrite alot of scripts. If you are using SELinux, you need to work with its ACL. There is another security module you may be using instead. Might be the same story. What do you need to do if you share the folder on the network? NFS has problems with ACLs and samba has it's own version of ACLs that you may need to work at mapping one to the other.

If you have a home workstation and don't have several users, you don't need access control lists. If you are running a server and don't have any regular users at all you may not need them.

You would use them for a particular purpose, such as allowing students to access each others files who are working on a lab. So how you use them would take some planning and implementing that a default implementation wouldn't fit anyway.

Just my 2 cents worth.

It might be a good idea if a GUI setup program like YaST included an ACL submodule or section under the "Users and Permissions" session to help set them up, and to raise their profile. I may have been wrong that they were installed by default. I just checked and setfacl comes from the acl package, which I may have coincidently had installed ahead of time. However, I didn't have to recompile my kernel, simply install the acl package.

Last edited by jschiwal; 05-06-2006 at 12:04 AM.
 
Old 05-06-2006, 07:38 AM   #9
HGeneAnthony
Member
 
Registered: Mar 2003
Posts: 178

Original Poster
Rep: Reputation: 30
Reply

Well at least I know why they aren't used by default. I had heard SELinux has problems with them and they shouldn't be installed together. Backups I hadn't thought of. I have samba installed as well and it was no big deal using them together. NFS I'm not sure of. Since I need it to work with Windows systems I try to have it work with them well. I still believe they could compile it with support for it. If the mount options aren't set it doesn't use them, however it's easy to fix the mount options. The kernel needs a recompile and if you don't feel like recompiling your kernel or aren't allowed to you're SOL. Thank you for putting the time into that response.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Posix ACLs are only working on directories HGeneAnthony Linux - Security 3 04-07-2006 11:39 AM
Linux ACLs kcv Linux - Security 6 09-14-2005 03:50 PM
Fedora Core 3, Windows ACLs, POSIX ?? jabran Fedora 6 06-24-2005 10:01 PM
Wich are the default passwords when Linux SuSe was installed gerargon Linux - General 2 12-10-2004 02:37 PM
where do new programs get installed by default in lredhat linux Coolioarchfiend Linux - Newbie 5 03-05-2004 11:10 PM


All times are GMT -5. The time now is 03:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration