William H. Magill on Mon, 3 Feb 2003 18:30:15 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Moving a lot of user accounts


On Monday, February 3, 2003, at 10:47 AM, Brian Epstein wrote:
I disagree. The right solution to that problem is file access
control lists, which can be managed by the users entirely without
Well, we'll have to agree to disagree, then.  ACLs don't work the same
across OSs, or across filesystems.  And in general, most SAs wouldn't
know a filesystem ACL if they tripped over one.  They are not obvious
in most situations like file permissions.

The reason that ACLs are not obvious as file permissions is because the folks who maintain "ls" haven't bothered to support them.


Why haven't they bothered to support them?

Because the code hasn't been touched since about 1980.

Just because something works does not mean that it is not obsolete.

And because ls doesn't support ACLs most SAs wouldn't know an ACL if they tripped over them because the books and people teaching SAs "all about Unix" don't know anything about them.

ACLs, like journeld file systems, have been around for a LOT longer than most Unix SAs believe.

The problem with "groups" is that there are two different kinds of "groups" -- the System V groups and the BSD groups -- and there is very little in common with the two them beside their name. I don't know what Red Hat has done, but it sounds like it has created "yet another" version of Groups (YAVG?).

ACLs are important technology for the simple reason that the access control stays with the data... (yeah, I know it's implementation dependent). It does not change when you dump a file and restore it. It does not change when you tar that file off or copy it to another system.

ACLs represent a VERY different way of looking at data security than the classic Unix -- anybody can have anything they can get to -- model.

It is true that ACLs are foreign to Unix SAs... but they have been used for years by non-Unix "proprietary" operating system SAs and represent one of the reasons that there is still very strong security aversion to Unix. And we're talking about data security here, not network cracking. Unix is incredibly "behind the times" in this area.

Unix is still in the "workstation" model -- one machine does one thing for one person. It does not "scale" to support large multi-user timesharing any better today than it did 20 years ago. IT HASN'T CHANGED. And until you have run a 10-20,000 user system you don't know what a "joy" it can be.

And don't forget -- Lotus Notes was written to SOLVE exactly this problem which we are discussing -- Work-team file sharing -- sharing files based upon a USERs actions and needs of the moment, not requiring a System Administer's intervention.

T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
magill@mcgillsociety.org
magill@acm.org
magill@mac.com

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug