solarflow99 wrote:
> I was wondering if anyone uses ACLs? I can't understand why they are
> necessary since regular file permissions seem to do the same thing, plus
> there are other alternatives such as selinux. Is it safe to say that
> ACL's are not very popular?

ACLs are (intentionally) more complicated than simple file system
permissions. Most of the time, simple file system permissions are
sufficient, so there's no point in messing with ACLs. In general, ACLs
need site-specific customizations to be useful, so they aren't used much
by default package configurations, but when you have a large,
heavily-customized network with many users, there's simply no efficient
substitute for ACLs.

SELinux really isn't intended to be a substitute for ACLs. SELinux has
the notion of a context, which can allow one application to access a
file while denying access to another application running as the same
user and group. This is great for sandboxing applications that have a
high exposure to malicious interference, without locking down the box so
tightly that your users can't manage their own files.

> Another question is why the chattr command even exists, since only 3 of
> its options even work with newer filesystems now, what use is setting
> the (i) attribute compared to chmod 400?

There's no question chattr is a bit clunky, but it was implemented
because it did some very useful things for certain niche use cases, and
some of its features survive because there aren't any good alternatives.
The 'i' attribute is basic a big "manual override" flag, that prevents
well-meaning scripts and applications from messing with something you
really, truly do not want to be messed with, even if those scripts and
applications would normally mess with it in spite of 400 permissions.
It's very rare that you ever need to do this, but when you do, it's very
nice to have it.

-- Chris

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list