Understanding ACL Limitations

You should be aware of some limitations that exist when working with ACLs. The first limitation is that ACLs are not cumulative. This means that user and group permissions are not added to each other. Let's imagine a situation where stacey is the owner of a file and has only the read permission. She is also a member of the group sales, which is a trustee of the same file and has read write permission. As a result when the permissions for this user are calculated, she will not have both read and write. When determining the effective permission, the operating system will check whether she is the owner of the file. Since she is the owner, the operating system will look no further, and the permissions for the owner are applied. Therefore, the permissions for the group are ignored.

Note ACLs are not cumulative, and normal permissions aren't either. You can see this when you try to give a user who is an owner no permissions at all to a file and you give some permissions (for example, rw) to the group that is the owner of the file. Next, make sure your user is a member of that group and see what he can do. You'll notice that read or write access is denied for that user. The file system checks to see whether that user is the owner, and if that's the case, it looks no further.

The problem of nonaccumulation even gets more complex if a file or directory belongs to more than one group. When determining group rights, the group it will get its rights from will be selected randomly.

Another problem when working with ACLs is that a lot of applications still lack support for ACLs. For example, most backup applications cannot handle it, and probably your company database doesn't either. However, some changes are coming, and some applications are starting to support ACLs. One of them is the Samba file server (check Chapter 15 for coverage of this server), and that makes an interesting combination for rights management. Also, some of the basic Linux utilities such as cp, mv, and ls support it currently. However, it still is not possible to manage ACLs from graphical file manager utilities. For example, when you copy files with the KDE file manager Konqueror, you will lose the ACL settings.

Was this article helpful?

0 0

Post a comment