Also: If the administrator doesn't want the users to be able to share then
the administrator needs mandatory access controls. MAC controls would put
the users into separate compartments which would prevent sharing access. But
MAC is still another topic (I'm in favor of it though).
ACLs are descretionary - the user has control over ACL entries, not the
administrator.
> > Also, things are
> > far more complex to review if any user can give access to anyone through
> > acls. The acls are not seen directly with ls
>
> ls is fixable. Possibly by extending "ls -l" to show acl's or at
> least indicate in some way that acl's are present. The latter may
> be preferable to avoid script incompatibilities, sonething like this:
> Arw-r--r-- 1 helge helge 140 Feb 9 1999 .bash_profile
> The 'A' indicates that acl(s) are present, the user may then use
> something like "ls --acl" and get the full acl information.
Due to the possible size of the ACL (it is a list, after all), the UNIX
ls command should not try to implement a "--acl". They could list up
to 256 ACL entries, which would definitely be a pain in a "ls -R --acl".
They only show a flag to indicate an ACL exists. It would be up to the
user to select an appropriate utility to display the ACL for a file/directory.
Consider: ls is used as a search tool to locate certain files that match a
pattern. To exend ls to be able to search an ACL to match a pattern would
be unreasonable; but it is reasonable for a dedicated utility.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: pollard@navo.hpc.mil
Any opinions expressed are solely my own.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/