Subject: Re: ACL
To: Bill Studenmund <wrstuden@zembu.com>
From: Lord Isildur <mrfusion@umbar.vaxpower.org>
List: tech-kern
Date: 04/09/2001 20:43:26
There is a lot of documentation for AFS. Perhaps transarc/ibm doesnt have it
on their site, but the printed docs are very comprehensive, if you happen
to be at a site that was a transarc customer when AFS was commercial.
Personally, for ACLs, i find the AFS model to be a nice compromise.
ACLs are for directories only, but there is a very nice groups mechanism
for making things as flexible as you could ever need. Some people have
hinted that they want per-file ACLs, but directory ACLs are a lot less
overhead and you get quite a decent degree of control. some of the mode
bits on a directory in AFS frob some of the (effective) UNIX mode bits for
the files in the directory, otherwise the UNIX mode bits dictate access
as usual. AFS has the concept of both positive and negative rights, so that
one can either explicitly grant or explicitly revike rights, too. it makes
something liek suspending someone's account very easy.
Actually, once upon a time, AFS was hacked into NetBSD by somebody. If
any of this code still exists, it would provide an example of making the ACLs
work , too. i think this was circa NetBSD 1.2 or so.
On Tue, 3 Apr 2001, Bill Studenmund wrote:
> On Tue, 3 Apr 2001 wojtek@wojtek.from.pl wrote:
> > > out some on permissions for AFS, or the security part of DCE. I hope other
> > > folks will contribute references too. These are all very UNIX-centric ACL
> > > environments.
> >
> > any URL please?
>
> I've not found many. I wanted to find ones for DCE, but didn't. The only
> ones I found were the Linux ACL folks and the TrustedBSD folks. One thing
> I'd point out about the Linux folks is that they are trying to impliment a
> POSIX (draft I think) standard. So it's not a Linux-invented thing. :-)
happy hacking,
isildur