1 |
On 09/06/18 18:09, Rich Freeman wrote: |
2 |
> I feel like this is something that Windows natively gets "better" than |
3 |
> POSIX. They have a concept of UIDs being specific to a machine or |
4 |
> authentication server (or domain as they call it), and this concept is |
5 |
> enforced at the host level. That said, I'm sure this approach has its |
6 |
> downsides as well, in particular it is certainly more complex and at |
7 |
> work we practically forbid any kind of windows ACLs at anything other |
8 |
> than the top mount level because it is so hard to control. |
9 |
|
10 |
Windows is better than POSIX?! That doesn't say much for POSIX then, |
11 |
seeing as I feel Windows ACLs are overly complex and difficult! |
12 |
|
13 |
Okay, ACLs assume a directory structure, which have serious problems |
14 |
with Unix hard links, so I can understand the two features not mapping |
15 |
on to each other very well. In particular, if an object does not have a |
16 |
specific acl, it's supposed to inherit from its parent, but if you have |
17 |
hard links which parent does it inherit from? |
18 |
|
19 |
The system I used which had ACLs, I *think* when you logged in to any |
20 |
machine, you could tell it to authenticate against a different machine |
21 |
so it must have had some machine/identity pair. |
22 |
|
23 |
Then ACLs were simplicity itself as well, because they were |
24 |
user,group,other. If a user was named, that was what they got. If they |
25 |
weren't named, they got the sum of all the groups they belonged to. And |
26 |
if none of their groups were named, they just got the other permissions. |
27 |
|
28 |
So if you wanted someone to get LESS than the sum of their groups, you |
29 |
just gave them personally what you wanted, and that was that. |
30 |
|
31 |
Cheers, |
32 |
Wol |