[mdlug] A big opportunity for Linux?

[Jeff Hanson]

On Nov 22, 2007 10:34 AM, Adam Tauno Williams
<adamtaunowilliams at gmail.com> wrote:
> > In actual practice in the workplace, I've never seen
> > u/g/o rwx to be insufficient for that sort of task.
>
> Wow, and how many groups do you have defined on your system?
>
> > I suppose the CIA would be an exception...but that's a VERY
> > special exception.
> > Even in the combat environment of Baghdad, ACLs are an
> > extremely heavy-handed way of solving the problem (and
> > in many ways, even clumsier than u/g/o rwx).
>
> Clumsier than u/g/o? That's just crazy,  u/g/o is what is awkward and
> arbitrary.  It is a clear vestige of a time when flexible security
> wasn't an issue.

>From my past experiences I can't see where defining more groups
could't handle the same situations as ACLs.  In Windows, I find ACLs
to be an unreliable mess.  I've tried to set up a multiple partiton
scheme in XP the same as is commonly done for Linux whereby the OS is
isolated from the user files.  It failed miserably.  Not only was I
unable to get the ACLs to work properly but redirecting special
folders like My Documents, Favorites, etc. failed because many
programs access them via an absolute path, not relative.  I really
love apps that write user-created documents to the same directory as
the executables.

ACLs are a requirement in Windows because they are the only way to
apply a backwards-compatible security structure on a file system
hierarchy that was historically an uncontrolled mess.  On *nix, if an
app didn't write to /var, /tmp, or /home/<user>, then they couldn't
write because of permissions.  Linux distros either fix or don't
include apps that don't follow the FSH standard and the package rules
and package managers ensure the apps install where they belong with
the correct permissions.

They changed ACL behavior again in Vista along with changing some of
the default accounts and groups.  Nothing like trying to get it right
the fourth time.