On Wed, Jul 31, 2019 at 2:46 PM Grant Taylor via TUHS <tuhs(a)minnie.tuhs.org>
wrote:
I thought that ACLs acted as additional gates /
restriction points
beyond what standard Unix file system permissions allowed.
It's really how strict you want to be in the definition of an ACL. UNIX
uses the same basic/simple model but traditional UNIX style ACLs of 3
options of 3 modes are implemented are just more coarsely defined than say
VMS or later NT or SELinux, uses for their file systems. It's arguable
that the extra granularity of the others actually adds a great deal in
actual day to day use cases.
At one time, I will admit that I had thought VMS style ACLs might be more
helpful to UNIX and we added them to one of our file systems, but when I
look back on 40 years of using anything beyond UNIX style ACLs its been
pretty rare when I actually needed much more (*i.e.* theory vs. practice).
The problem is the programming interface tends to get more difficult when
you add some of the extra features. To me the brilliance to UNIX has
always been getting down to a very simple interface that was "good enough"
to get the *job done* and not so full of *extra stuff *that it gets in the
way (which tends to be a complaint by way with Linux -- which does have a
lot of new/rich features, but so full of some many different features
theses days you have to wonder is/was it worth it).
To me, it's arguable that ACL's beyond R/W/E and U/G/E is really needed in
practice.
Clem