Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Oct 1997 19:05:39 -0600 (MDT)
From:      Wes Peters - Softweyr LLC <softweyr@xmission.com>
To:        skafte@worldgate.com (Greg Skafte)
Cc:        chat@freebsd.org
Subject:   Re: C2 Trusted FreeBSD?
Message-ID:  <199710230105.TAA13328@xmission.xmission.com>
In-Reply-To: <19971021205331.53826@worldgate.com> from "Greg Skafte" at Oct 21, 97 08:53:31 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> 	back in a former life when I worked for a company that had 
> 	an HP, I setup extended ACLs all the time, it was very handy
> 	for controlling access to things like web directories. (ie
> 	yes everyone was part of group http, but then with the extended
> 	ACL I could force things to g=rwx, but still control who could
> 	read or write to a specific tree) ACL take a some extra time
> 	and effort but in the long term I found them wonderful...

Yes, but how do you back them up, or, worse yet, restore them?  How do
you copy your HTML directory tree to another drive you're bringing
on-line and preserve all the ACL settings?  As noted before, *none*
of the system tools support the ACLs.  If you created, for instance,
a version of TAR that backed up the ACL information, it would be
incompatible with every other version of tar in the world.*

Tools are a part of the reason ACLs aren't a standard part of UNIX.
They're not that hard to implement, esepecially not if you do it
the way HP did, which simply extends the inode information by a
fixed amount.

*The one exception was a backup program called DBR, which is no longer
sold.  On HP-UX and AIX, it could save the ACL information using
cpio -c format and maintain compatibility with standard cpio by using
cute tricks in the cpio format.  It would use a 1024 byte buffer for
the filename, and then place the null-terminated filename in the 
buffer, followed by the ACL information.  Cpio would happily extract
the full 1024 bytes of filename info and then open the null-terminated
filename, ignoring the ACL data.  In order to restore the ACL information,
you had to restore with DBR, but *any* cpio could get the file data
off the tape.  Cute, eh?

-- 
          "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                       Softweyr LLC
http://www.xmission.com/~softweyr                       softweyr@xmission.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710230105.TAA13328>