"Paul B. Henson" <hen...@acm.org> writes: > On Sun, 28 Feb 2010, Kjetil Torgrim Homme wrote: > >> why are you doing this? it's inherently insecure to rely on ACL's to >> restrict access. do as David says and use ACL's to *grant* access. >> if needed, set permission on the file to 000 and use umask 777. > > Umm, it's inherently insecure to rely on Access Control Lists to, > well, control access? Doesn't that sound a bit off?
no. what happens when an NFS client without ACL support mounts your filesystem? your security is blown wide open. the filemode should reflect the *least* level of access. if the filemode on its own allows more access, then you've lost. > The only reason it's insecure is because the ACL's don't stand alone, > they're propped up on a legacy chmod interoperability house of cards > which frequently falls down. not if you do it right. >> why is umask 022 when you want 077? *that's* your problem. > > What I want is for my inheritable ACL's not to be mixed in with legacy > concepts. ACL's don't have a umask. One of the benefits of inherited > ACL's is you don't need to globally pick "022, let people see what I'm > up to" vs "077, hide it all". You can just create files, with the > confidence that every one you create will have the appropriate > permissions as configured. if your ACLs are completely specified and give proper access on their own, and you're using aclmode=passthrough, "chmod -R 000 /" will not harm your system. if you have rogue processes doing "chmod a+rwx" or other nonsense, you need to fix the rogue process, that's not an ACL problem or a problem with traditional Unix permissions. > Except, of course, when they're comingled with incompatible security > models. Basically, it sounds like you're arguing I shouldn't try to > fix ACL/chmod issues because ACL's are insecure because they have > chmod issues 8-/. not at all. you just have to use them correctly. -- Kjetil T. Homme Redpill Linpro AS - Changing the game _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
