Unix permissions vs ACLs (was: Windows for Unix Geeks?)

This is a problem with ACL systems in general. They are extremely flexible and expressive, but require a level of stamina and determination to harness that few except the dysfunctionally obsessive will manage.

(The Unix permission model OTOH is so simplistic that only the most trivial arrangments are expressible. All things considered, I still prefer Unix permissions because at least they make the common, simple things a no-brainer; that ACLs make the hard things possible doesn’t mean these aren’t still an absolutely massive pain. Someday we’ll figure out long-term tenable approaches to security…)

Makeshifts last the longest.

Comment on Unix permissions vs ACLs (was: Windows for Unix Geeks?)

Replies are listed 'Best First'.
Re^3: Windows for Unix Geeks? by Argel (Prior) on Jan 16, 2006 at 21:58 UTC
A compromise for the UNIX world might be to allow groups to belong to other groups. -- Argel	[reply]
Re^2: Unix permissions vs ACLs by Aristotle (Chancellor) on Jan 17, 2006 at 04:41 UTC
That wouldn’t help much. You can get the same effect already if you expand subgroups manually. Of course, that makes large userbases difficult to manage. You could reduce the burden by generating `/etc/groups` via a preprocessor or some such. So this is proof by induction that nestable groups do not actually expand the expressive capabilities of the Unix model. They could make large userbases easier to manage, but everything you can express with them is expressible without them as well. ACL systems OTOH actually allow mapping scenarios that the Unix model cannot, and won’t be able to with nested groups either. Of course, they are also hard to handle and will fry your brain… Makeshifts last the longest.	[reply] [d/l]