Re: Linux ACLs

[Sven Mueller]

Mark.Burgess@iu.hio.no [u] wrote on 26/10/2004 21:33:

> On 26 Oct, Sven Mueller wrote:

> > There are two types of ACLs in Linux:
> > 1) Filesystem ACLs, which should follow POSIX ACL recommendations
> >    pretty closely.
> > 2) Process ACLs (what resources process X of user Y is allowed to use)
> >    which are a non-POSIX thing only available in SE Linux kernels
> >
> > I think Mark wanted to look at (1) but actually looked at (2). ;-)
> > Not sure though, as I didn't write anything but scripts for ACLs (and 
> > those only for (1)).

> What makes you think I looked at the wrong thing?

From what a former colleague (a programmer) told me, Linux filesystem 
ACLs should be pretty easy to use as they are (as he told me) pretty 
much the same as POSIX filesystem ACLs. You said that they are totally 
different, so I assumed that you looked at something different.

> I was not looking at process ACLs or capabilites. The file ACL
> stuff does not seem to make sense of itself. The best refs I
> found are:
>
> http://www.suse.de/~agruen/acl/linux-acls/online/
> http://acl.bestbits.at/

Hmm....
The first document was written in 1999 according to the copyright notice 
at the end of it. I know that filesystem ACL implementation has changed 
a lot since 1999 (even since 2002-2-1 when that web page was generated 
and possibly even since 2003-04-04 when the translation was initiated).

> This disticnguishes NFS acls and posix acls but not clearly.

Hmpf, typical linux programmers documentation than.

> What I see is that these refer to <sys/acl.h> and a set of strange
> API functions, but these files do not exist. Instead I find posixacl.h
> and xattr.h which seem unrelated.

I think that those (posixacl.h and xattr.h) are in fact the currently 
used API for ACLs and EAs. IANAP though (i am not a programmer).

cu,
sven