-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/13/2013 02:41 PM, Branko Majic wrote:
Slightly off-topic from my side, but wanted to mention it since I've worked with POSIX ACLs a bit.
Personally, I've had very bad experiences with POSIX ACLs. They can act in quite an unintuitive way when you start combining them with different umask's, originating directory/file permissions (in case of copying), sticky bits, and chmod's on files/directories where you've already set-up the permissions (not to mention that some stuff seems to outright ignore it, like mod_php5/php).
Most of the problem is that the utilities don't support it, and the tooling isn't there to make it easy to fix things when they get messed up.
GNU tar, cp, and mkdir for example claim to support ACLs, but then do it only half way: if you copy a non-ACL file into a directory with a default ACL, cp will preserve the group bits -- which are now the ACL mask -- making your ACLs useless.
I've had very little success getting things fixed; most people just aren't interested.
I have a standalone utility called apply-default-acl (now in Gentoo)
that can reapply the default ACL on a file or tree, fixing most of
these issues after the fact. I've patched tar, cp, and mkdir to
reapply the default ACL after they're done screwing things up, but for
other utilities, you just have to call apply-default-acl -r on the
result.
I wrote some stuff about this problem at [1].
The other half of the problem is that there's no "just do what I want" command to set ACLs on a hierarchy. For this I've created scripts called set-ro-perms, set-rw-perms, etc. It's just find, xargs, and setfacl -- but it makes a world of difference. There is a recursive mode for apply-default-acl now which can mimic most of them; you just need to set a default ACL on '.' and run it.
I've also attempted using it at some point for some LAMP apps I've deployed, and ended-up abandoning them in favour of group sticky bits on directories (wanted to administer the web app with regular account, while still letting the Apache access files using umask 0007).
So, personally, I'd avoid using them.
Same use case here, except we have multiple groups and users who need differing levels of access, and each website runs as a different system user. I don't know of any other way to do it.
Eventually, NFSv4 ACLs[2] are supposed to supercede the POSIX ones. Hopefully, unlike POSIX, the NFS ACLs will get standardized and actually gain some traction and decent support. At that point it should be fairly simple to migrate, since there's an "easy" mapping from POSIX to NFSv4.
[1] http://michael.orlitzky.com/articles/problems_with_posix_acls_and_common_uti...
[2] http://wiki.linux-nfs.org/wiki/index.php/ACLs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux)
iQIcBAEBAgAGBQJQ8zJ5AAoJEBxJck0inpOir+MP/1p///gBNmXO3qQVOZabAXDc iYUMgiZ48WSpg7SKHUus80nKrue1IQdHC69ORTo7QUFw8o2/8CYXQo6v1EaytyDJ f702Qx7nMnwvdjH5PZQbxVi3qd+L3I+vwmH4omx2g4cFzM4KWNNXcG+tgWALquAc 0xMn8IpODfqV4SqNx1vjHKH35MBuPtyN+0YxGTixlryxQjSjSaSITxFEfRdXvzLT xL2WQw++XT5yC1UOyET4F/HQ0BG1C5jIB1auxrkLYQo3a4u+fXFjNQ3r67rL6Jus t9Z3drj48LSHeyc3tRV0MsIiVhgXGTmGyG+XR7DREt9MbMv2SjHbOtP6YsQ7tVpN 54JndK7Rbcm6yaSExBxCC7eCqgXb5AR10J8AijPwnNj2I6CstHMlG4lLqWvj8Bdm YQBdid3zbnb8r8sbpwe67UUArwMZWzVReZpETYbW4BrBy7CTPaooizP0fOE/mNwn 78vc5L+1I3edQEOtD3DQhUOFKxPFjJh1x4EdDNzd0K5+a1ZgfBxYw/U6q8ItBJ12 leoNzWMvZklJb/U4gGx2fYSwlZM1wxDGfRp0P63YYvNSaEXloGcRuozVInIzpm3g QOA5I/1ux7WiisQoln74gJGkPPnbZuAOs45xEl0RUjrWJGzgSWpc8I8h5j755COV w80fwFF4c5SIYXf/luor =/6b8 -----END PGP SIGNATURE-----