commands

On Tue, 2008-04-08 at 09:58 +0100, solarflow99 wrote:
> I was wondering if anyone uses ACLs?  I can't
understand why they are
> necessary since regular file permissions seem to do the
same thing,
> plus there are other alternatives such as selinux.  Is
it safe to say
> that ACL's are not very popular?

I use ACLs and they do not do the same thing as File System
permissions.

Take the following directory:

[samunixdevweb1-vm sites]$ ls -al | grep www-su
drwxrws---+  5 www-su www-su 4096 Nov 15  2006 www-su

That says, let the user www-su and members of the group
www-su
read/write to that directory. It also says preserve group
membership on
files contained in that directory as www-su.

Now lets look at the facl:

# file: www-su
# owner: www-su
# group: www-su
user::rwx
group::rwx
group:apache:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:www-su:rwx
default:mask::rwx
default:other::---

Which says additionally allows members of the apache group
to read the
files and also gives default permissions for objects created
in the
directory. ACLs are much much more powerful than files.

Lets take the case of the user owning that file which is
owned by
www-su:www-su. If the user wants to let additional people
read/write the
file they can only do so by editing /etc/group - which isn't
something
normal users can do... or with ACLs they can do
"setfacl -m
u:someuser:rwx www-su" and grant the permissions
themselves.

I think it would be fair to say that ACLs are less popular
than
traditional permissions, but they are not equivalent.

> Another question is why the chattr command even exists,
since only 3
> of its options even work with newer filesystems now,
what use is
> setting the (i) attribute compared to chmod 400?

If I chmod 400 the file, root can still delete it. If I
chattr +i the
file, even root can't delete it without removing the
immutable bit
first. It provides an additional safety level.

--
Sam

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list

solarflow99 wrote:
> I was wondering if anyone uses ACLs?  I can't
understand why they are 
> necessary since regular file permissions seem to do the
same thing, 
> plus there are other alternatives such as selinux.  Is
it safe to say 
> that ACL's are not very popular? 
> Another question is why the chattr command even exists,
since only 3 
> of its options even work with newer filesystems now,
what use is 
> setting the (i) attribute compared to chmod 400?
>  
>
------------------------------------------------------------
------------
>
> _______________________________________________
> rhelv5-list mailing list
> rhelv5-listredhat.com
> h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list
>   
chattr +i filename will prevent even root removing a file
unless you 
chattr -i it first.

useful if you've got your silly hat on and are doing an rm
-fr on a 
directory with files in it you really don't want to get rid
of or spend 
time restoring.

worth noting it works on ext3 but not via nfs.

In terms of SELinux its all about risk,  you want top notch
security and 
can afford to spend the time configuring it and the data its
applied on 
it high risk? use SElinux, you just want simple servers
serving low risk 
files and if you get hacked then you wipe the box quickly
and restore 
the data (and patch the hole) then turn it off.

Also you may be within a company that requires certain
standards of 
security that SELinux meets that would otherwise prevent the
use of linux.

loose explanation http://en.wikipe
dia.org/wiki/SELinux

-- 
Alasdair Gow



-- 

This email and any files transmitted with it are
confidential and intended 
solely for the use of the individual or entity to whom they
are addressed.  
If you have received this email in error please notify the
sender. Any 
offers or quotation of service are subject to formal
specification.  
Errors and omissions excepted.  Please note that any views
or opinions 
presented in this email are solely those of the author and
do not 
necessarily represent those of Lumison, nplusone or
lightershade ltd.  
Finally, the recipient should check this email and any
attachments for the 
presence of viruses.  Lumison, nplusone and lightershade ltd
accepts no 
liability for any damage caused by any virus transmitted by
this email.

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list

solarflow99 wrote:
> I was wondering if anyone uses ACLs?  I can't
understand why they are
> necessary since regular file permissions seem to do the
same thing, plus
> there are other alternatives such as selinux.  Is it
safe to say that ACL's
> are not very popular?

ACLs are quite new in Linux. I think they use extended
attributes.

Standard POSIX file permissions are not actually very
useful: I can't 
use them give you access to my list of state secrets There is
only 
one user associated with a file - the file's owner. There's
only one 
group associated with a file, commonly users.


If I read the ACL documentation aright, and my understanding
from it is 
consistent other environments, I can create an ACL that says
"user 
solarflow99 can read this file."

selinux has me confounded, I don't know whether I want to
spend the 
trouble to comprehend it.


> Another question is why the chattr command even exists,
since only 3 of its
> options even work with newer filesystems now, what use
is setting the (i)
> attribute compared to chmod 400?

+i prevents root. I've used it sometimes to protect
/etc/resolv.conf
I regularly use +a on .bash_history to avoid lost history.
Search 
debian's security guide.
+S might be useful for xen filessystems in files, but I'd
want to test 
performance before using it.

I thought the man page says three do not work?


-- 

Cheers
John

-- spambait
1aaaaaaacoco.merseine.nu  Z1aaaaaaacoco.merseine.nu
-- Advice
http://webfoo
t.com/advice/email.top.php
ht
tp://www.catb.org/~esr/faqs/smart-questions.html
http://support
.microsoft.com/kb/555375

You cannot reply off-list

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list

solarflow99 wrote:
> I was wondering if anyone uses ACLs?  I can't
understand why they are 
> necessary since regular file permissions seem to do the
same thing, plus 
> there are other alternatives such as selinux.  Is it
safe to say that 
> ACL's are not very popular? 

ACLs are (intentionally) more complicated than simple file
system 
permissions.  Most of the time, simple file system
permissions are 
sufficient, so there's no point in messing with ACLs.  In
general, ACLs 
need site-specific customizations to be useful, so they
aren't used much 
by default package configurations, but when you have a
large, 
heavily-customized network with many users, there's simply
no efficient 
substitute for ACLs.

SELinux really isn't intended to be a substitute for ACLs. 
SELinux has 
the notion of a context, which can allow one application to
access a 
file while denying access to another application running as
the same 
user and group.  This is great for sandboxing applications
that have a 
high exposure to malicious interference, without locking
down the box so 
tightly that your users can't manage their own files.

> Another question is why the chattr command even exists,
since only 3 of 
> its options even work with newer filesystems now, what
use is setting 
> the (i) attribute compared to chmod 400?

There's no question chattr is a bit clunky, but it was
implemented 
because it did some very useful things for certain niche use
cases, and 
some of its features survive because there aren't any good
alternatives. 
  The 'i' attribute is basic a big "manual
override" flag, that prevents 
well-meaning scripts and applications from messing with
something you 
really, truly do not want to be messed with, even if those
scripts and 
applications would normally mess with it in spite of 400
permissions. 
It's very rare that you ever need to do this, but when you
do, it's very 
nice to have it.

-- Chris

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list

> I was wondering if anyone uses ACLs?  I can't
understand why they are
> necessary since regular file permissions seem to do the
same thing

Others have already replied.  But let me give you a simple
example we
actually use here:

Users in group A should have read and write access to a
directory.
Users in group B shoul only have read (incl search) access
to it.
Users not in either group should have no access.

I'm sure you realise you need a few more bits than the
regular file
permissions provide to do this.

> Is it safe to say that ACL's
> are not very popular?

That is probably true.  But they ARE used.

_______________________________________________
rhelv5-list mailing list
rhelv5-listredhat.com
h
ttps://www.redhat.com/mailman/listinfo/rhelv5-list