From: Feizhou <feizhou@xxxxxxxxxxxx>
> What is really needed is the ability to limit access to a file on a per
> user account basis (acls), not by locking down via a group permission.
And that's POSIX's ACLs, c/o the "Austin Group" work of the IEEE POSIX
committee circa 2001 and the X/Open Single UNIX Specification (SUS)
version 3.
XFS on Linux has had POSIX ACL support since day one (using its own
codebase), and it's largely XFS's GPL contributions (and direct port from Irix,
unlike IBM who ported JFS from OS/2 and not AIX) to kernel 2.6 (POSIX
ACL's were standardized as of the 2.5.3 development branch, thanx largely
to SGI). Ext3 has had a varied history in the 2.4.x timeframe, and even
Red Hat gave up on them in Red Hat Linux 8.0 until kernel 2.6 in FC2+.
But even POSIX ACLs are _still_ Discretionary Access Controls (DAC),
atop of the legacy UNIX DACs we're all used to. They just augment
discretionary control, and don't solve the MAC problem.
MAC limits you, not augments you with delegation, on purpose.. People
tend to hate MAC when they are first presented with the conepts, because
they expect them to work like DAC. ;->
--
Bryan J. Smith mailto:b.j.smith@xxxxxxxx
