[CentOS] Tools/mechanisms for the management of access permissions in big filebased datasets

Wed Nov 28 17:44:37 UTC 2018
Warren Young <warren at etr-usa.com>

On Nov 28, 2018, at 2:36 AM, Frank Thommen <list.centos at drosera.ch> wrote:
> Our problem is more the management side.  Effectively we are looking for a tool that helps us manage these permissions

I want ACLs to work.  There’s a real problem to solve, which is that the old user:group rwx Unix permission system doesn’t let you express common wishes like “Angel & Bobby own this file, and groups Cookie and Danish can read and write it, and user Egbert can write it.”

The problem is, ACLs are hidden by default with respect to “ls -l”, and when you do make them visible with getfacl, you now have a complex mental parsing problem to solve before you understand the meaning of the ACL.  Add in ACL inheritance and you’ve got a real mess.

Make a facility hidden and complex, and you pretty much guarantee that few will use that facility, and those who do will at times create messes they can’t properly understand.  A security mechanism that’s most often underused, misapplied, or both is a bad system.

FOSS is good at solving such problems, so the only way I can see that tools to solve this problem don’t exist is that few actually use ACLs, perhaps because of the reasons above.

Who here uses ACLs to good effect?  Are you using more than just getfacl/setfacl to do it?