From: Feizhou feizhou@graffiti.net
What is really needed is the ability to limit access to a file on a per user account basis (acls), not by locking down via a group permission.
And that's POSIX's ACLs, c/o the "Austin Group" work of the IEEE POSIX committee circa 2001 and the X/Open Single UNIX Specification (SUS) version 3.
XFS on Linux has had POSIX ACL support since day one (using its own codebase), and it's largely XFS's GPL contributions (and direct port from Irix, unlike IBM who ported JFS from OS/2 and not AIX) to kernel 2.6 (POSIX ACL's were standardized as of the 2.5.3 development branch, thanx largely to SGI). Ext3 has had a varied history in the 2.4.x timeframe, and even Red Hat gave up on them in Red Hat Linux 8.0 until kernel 2.6 in FC2+.
But even POSIX ACLs are _still_ Discretionary Access Controls (DAC), atop of the legacy UNIX DACs we're all used to. They just augment discretionary control, and don't solve the MAC problem.
MAC limits you, not augments you with delegation, on purpose.. People tend to hate MAC when they are first presented with the conepts, because they expect them to work like DAC. ;->
-- Bryan J. Smith mailto:b.j.smith@ieee.org