On Wed, 2008-11-05 at 14:40 -0500, William A. (Andy) Adamson wrote: > > A better way to limit access is to use ACL's on the directory, Yes, indeed. I have been holding off as long as I can on using ACLs given the lack of integration into the GUI (i.e. gnome) environment thus far. For example, so far as I know, nautilus does not have any ACL inspection/modification in it yet. Maybe that's not such a big deal. Just another layer I guess. > which > actually make a difference when running kerberos. :) Yeah. FWIU, ACLs would solve the other of the 2 problems that I went to nfs4 with gssapi for anyway and that's being able to more easily allow others access to files. Unix groups work fine for this as long as you can control the umask/permission bits a particular application sets on the files it creates. While I can create inheritance rules for ownerships in the SYS security model I can't create (inheritable) umask/permissions rules and have to rely on either the users' global umask or the application giving, say, group write permissions to a file. Setting the users' global umask for that is of course unacceptable and that only leaves attacking the problem on an application-by-application basis. Yuck. b.
Attachment:
signature.asc
Description: This is a digitally signed message part