Acl Support In Applications - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual
Hide thumbs
Also See for LINUX ENTERPRISE SERVER 11 - SECURITY:
- Installation (5 pages) ,
- Administration manual (452 pages)
Table of Contents
Advertisement
Although no permissions were removed from the ACL entry of the group class,
the mask entry was modified to mask permissions not set in mode.
This approach ensures the smooth interaction of applications, such as compilers,
with ACLs. You can create files with restricted access permissions and subsequently
mark them as executable. The mask mechanism guarantees that the right users
and groups can execute them as desired.
10.4.4 The ACL Check Algorithm
A check algorithm is applied before any process or application is granted access to an
ACL-protected file system object. As a basic rule, the ACL entries are examined in the
following sequence: owner, named user, owning group or named group, and other. The
access is handled in accordance with the entry that best suits the process. Permissions
do not accumulate.
Things are more complicated if a process belongs to more than one group and would
potentially suit several group entries. An entry is randomly selected from the suitable
entries with the required permissions. It is irrelevant which of the entries triggers the
final result "access granted". Likewise, if none of the suitable group entries contains
the required permissions, a randomly selected entry triggers the final result "access
denied".
10.5 ACL Support in Applications
ACLs can be used to implement very complex permission scenarios that meet the re-
quirements of modern applications. The traditional permission concept and ACLs can
be combined in a smart manner. The basic file commands (cp, mv, ls, etc.) support
ACLs, as do Samba and Konqueror.
Unfortunately, many editors and file managers still lack ACL support. When copying
files with Emacs, for instance, the ACLs of these files are lost. When modifying files
with an editor, the ACLs of files are sometimes preserved and sometimes not, depending
on the backup mode of the editor used. If the editor writes the changes to the original
file, the access ACL is preserved. If the editor saves the updated contents to a new file
that is subsequently renamed to the old filename, the ACLs may be lost, unless the ed-
142
Security Guide
Advertisement
Table of Contents
