| 1 |
On 09/06/18 18:09, Rich Freeman wrote: |
| 2 |
> I feel like this is something that Windows natively gets "better" than |
| 3 |
> POSIX. They have a concept of UIDs being specific to a machine or |
| 4 |
> authentication server (or domain as they call it), and this concept is |
| 5 |
> enforced at the host level. That said, I'm sure this approach has its |
| 6 |
> downsides as well, in particular it is certainly more complex and at |
| 7 |
> work we practically forbid any kind of windows ACLs at anything other |
| 8 |
> than the top mount level because it is so hard to control. |
| 9 |
|
| 10 |
Windows is better than POSIX?! That doesn't say much for POSIX then, |
| 11 |
seeing as I feel Windows ACLs are overly complex and difficult! |
| 12 |
|
| 13 |
Okay, ACLs assume a directory structure, which have serious problems |
| 14 |
with Unix hard links, so I can understand the two features not mapping |
| 15 |
on to each other very well. In particular, if an object does not have a |
| 16 |
specific acl, it's supposed to inherit from its parent, but if you have |
| 17 |
hard links which parent does it inherit from? |
| 18 |
|
| 19 |
The system I used which had ACLs, I *think* when you logged in to any |
| 20 |
machine, you could tell it to authenticate against a different machine |
| 21 |
so it must have had some machine/identity pair. |
| 22 |
|
| 23 |
Then ACLs were simplicity itself as well, because they were |
| 24 |
user,group,other. If a user was named, that was what they got. If they |
| 25 |
weren't named, they got the sum of all the groups they belonged to. And |
| 26 |
if none of their groups were named, they just got the other permissions. |
| 27 |
|
| 28 |
So if you wanted someone to get LESS than the sum of their groups, you |
| 29 |
just gave them personally what you wanted, and that was that. |
| 30 |
|
| 31 |
Cheers, |
| 32 |
Wol |
Archives