Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

Re: [rhelv5-list] commands

Sam Sharpe

2008-04-08

Replies: Find Java Web Hosting

Author LoginPost Reply

On Tue, 2008-04-08 at 09:58 +0100, solarflow99 wrote:
> I was wondering if anyone uses ACLs? I can't understand why they are
> necessary since regular file permissions seem to do the same thing,
> plus there are other alternatives such as selinux. Is it safe to say
> that ACL's are not very popular?

I use ACLs and they do not do the same thing as File System permissions.

Take the following directory:

[sam@(protected)
drwxrws---+ 5 www-su www-su 4096 Nov 15 2006 www-su

That says, let the user www-su and members of the group www-su
read/write to that directory. It also says preserve group membership on
files contained in that directory as www-su.

Now lets look at the facl:

# file: www-su
# owner: www-su
# group: www-su
user::rwx
group::rwx
group:apache:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:www-su:rwx
default:mask::rwx
default:other::---

Which says additionally allows members of the apache group to read the
files and also gives default permissions for objects created in the
directory. ACLs are much much more powerful than files.

Lets take the case of the user owning that file which is owned by
www-su:www-su. If the user wants to let additional people read/write the
file they can only do so by editing /etc/group - which isn't something
normal users can do... or with ACLs they can do "setfacl -m
u:someuser:rwx www-su" and grant the permissions themselves.

I think it would be fair to say that ACLs are less popular than
traditional permissions, but they are not equivalent.

> Another question is why the chattr command even exists, since only 3
> of its options even work with newer filesystems now, what use is
> setting the (i) attribute compared to chmod 400?

If I chmod 400 the file, root can still delete it. If I chattr +i the
file, even root can't delete it without removing the immutable bit
first. It provides an additional safety level.

--
Sam

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.