1. Beautiful Unix file permission model
The classic Unix file permission model is an elegant and powerful design.
2. Ugly ACL
ACL tries to add more control over the permissions by adding more specific rules to manage the permissions. It seems good but in fact a mess.
2.1 ACL is not portable
Linux, Unix, BSD, NFS all have their own implementation of ACL and they are not compatible.
2.2 "ls -l" cannot display owning group's permission anymore
In the classic file permission model, only three different types of users exist, owner, owning group, and others.
With ACL, you can set permissions for any named user/group. E.g.
$ ll test
-rw-r--r--. 1 smstong smstong 0 Mar 10 12:20 test
$ setfacl -m u:user01:rx test
$ ll test
-rw-r-xr--+ 1 smstong smstong 0 Mar 10 12:20 test
$ getfacl test
# file: test
# owner: smstong
# group: smstong
user::rw-
user:user01:r-x
group::r--
mask::r-x
other::r--
When ACL is setup, the second triple-bits printed from "ls -l" does NOT represent "owning group" anymore. Instead, it's the "mask" now, which is the union of all permissions of named users/groups.
We have to use "getfacl" to show the owning group's permission.
2.3 "chmod" cannot change owning group's permission anymore
$ chmod g-x test
$ ll test
-rw-r--r--+ 1 smstong smstong 0 Mar 10 12:20 test
$ getfacl test
# file: test
# owner: smstong
# group: smstong
user::rw-
user:user01:r-x #effective:r--
group::r--
mask::r--
other::r--
$ chmod g+rxw test
$ ll test
-rw-rwxr--+ 1 smstong smstong 0 Mar 10 12:20 test
$ getfacl test
# file: test
# owner: smstong
# group: smstong
user::rw-
user:user01:r-x
group::r--
mask::rwx
other::r--
Then how can we change the owning group's permission? "chmod" doesn't work, we have to use "setfacl"
$ setfacl -m g::rx test
No comments:
Post a Comment