this post was submitted on 05 Oct 2023
603 points (99.0% liked)

Linux

48376 readers
1697 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 
all 50 comments
sorted by: hot top controversial new old
[–] Yerbouti@lemmy.ml 47 points 1 year ago (1 children)

I have no idea what is going on but this looks good. I agree with you guys. Upvoted.

[–] UntouchedWagons@lemmy.ca 11 points 1 year ago

It's for more granular access permissions for files and folders.

[–] exu@feditown.com 31 points 1 year ago (3 children)

Cool. Does ACL support also depend on the filesystem?

[–] tal@lemmy.today 31 points 1 year ago

Yeah, but I think all reasonably-modern Unixy filesystems on Linux will support ACLs. ext2/3/4, btrfs, xfs, zfs, jfs, etc.

[–] 520@kbin.social 12 points 1 year ago (10 children)

Yes. Some filesystems straight up do not support ACL of any kind (eg: fat32)

[–] velovix@hedge.town 11 points 1 year ago (1 children)

Fat32 doesn't support regular file permissions either, right? I was under the impression that it was permissionless.

[–] 520@kbin.social 5 points 1 year ago (1 children)

You are entirely correct, it has no permission system to speak of

[–] davidgro@lemmy.world 4 points 1 year ago (1 children)

I'll speak of it anyway: There's a "Read-only" bit on every file/directory and The User (there's only one!) can change it for any of them at any time.

load more comments (9 replies)
[–] palordrolap@kbin.social 26 points 1 year ago (2 children)

Technically, this is also possible by creating extra groups, but this kind of access control presumably exists because the old-school method can be a pain to administer. Choosing group names can also be an "interesting" secondary challenge.

i.e. Dude's not going to be best pleased if they ls -l and see the group on the file is xyzgroup-but-not-dude even if it is with good reason. (Shouldn't have deleted the database, dude.)

[–] tal@lemmy.today 15 points 1 year ago

I don't really think that that's a realistic goal for ACLs. I mean, getfacl showing the user specifically being excluded probably isn't any more-polite.

[–] Frederic@beehaw.org 13 points 1 year ago

In a previous life (in the 90s) I was a un*x sysadmin, and ACL is nightmarish in big company, I hated it and avoided it

[–] cybersandwich@lemmy.world 21 points 1 year ago

I understand it all less after reading that. I need more coffee.

[–] trailing9@lemmy.ml 19 points 1 year ago (1 children)

Does anybody use ACL without regretting it?

[–] InternetCitizen2@lemmy.world 5 points 1 year ago

Whoaa, are you ACLing sober? Slow down champ!!

[–] Deconceptualist@lemm.ee 18 points 1 year ago* (last edited 1 year ago)

Cool, I didn't know ACLs were a widely available thing but the infographic explains pretty well! Sounds really useful when granular controls are needed, but I could also imagine it being a huge pain in environments already built out and scripted around regular permissions. Still as always, options are good and an ounce of planning is worth a pound of troubleshooting.

I do low-key hate seeing a directory named "dir" and a group named "me" though. That's chaotic neutral shit at the very least.

[–] doktorseven@lemmy.world 17 points 1 year ago (1 children)

Confusing. You set a mask for a user and somehow it propagated down to a group and then you change permission on that group suddenly it applies to the user? Either something is wrong here or ACL permissions make absolutely zero sense. It is 5 billion times easier to use normal permissions to set these things up.

[–] Deiskos@lemmy.world 12 points 1 year ago* (last edited 1 year ago) (1 children)

I think it's like this: what used to be group in regular permissions output is a union of group and ACL mask in ACL output. Mask sets the upper limit of what ACL can do, so if mask is rw- then it's impossible to set a r-x ACL permission because allowing execution is not allowed.

This seems to be more geared towards enterprise environment where it could be complicated to cleanly define groups, since you can only give access to one you might run into a problem where dept. A needs access to that directory but also person G from dept. B and person K from dept. C.

Yep, it's basically a way to define new groups per directory. But these groups are hidden from the normal group commands!

[–] gnutrino@programming.dev 15 points 1 year ago (1 children)

ACL Access-Control Lists

Access Control List Access Control Lists?

[–] whyNotSquirrel@sh.itjust.works 18 points 1 year ago (1 children)

I mean in this case it's to show what ACL means, not like RIP in peace

[–] Akareth@lemmy.world 1 points 1 year ago

That's what parentheses are for.

[–] uzay@infosec.pub 10 points 1 year ago (2 children)

That's all fine and dandy, but why does it say rxw on the left?

[–] Zangoose@lemmy.world 10 points 1 year ago (2 children)

Permissions are listed as "user", "group", "other". I.e. the user who made the file, the group of the user who made the file (usually just their name as a group), and everyone else. In this case the rxw is for the user.

For chmod, you can also represent these as binary numbers: 111 would mean having all 3, 101 would mean having read and write, etc. These binary numbers then get turned back into regular numbers (7 in the first example, since it's 111) for chmod. Giving a file "chmod 777" means the user, group, and other all have full permissions on the file. "chmod 700" gives the creator full control, but no one else can view, modify, or execute the file.

[–] redbeardgecko@lemmy.world 15 points 1 year ago (1 children)

It's supposed to be rwx, not rxw.

[–] Zangoose@lemmy.world 5 points 1 year ago

Oh I completely missed that lol. Oh well, it's probably still a useful explanation for someone else reading this

[–] emptiestplace@lemmy.ml 6 points 1 year ago (1 children)

I feel bad for you because you were just trying to help.

[–] Zangoose@lemmy.world 3 points 1 year ago

🤷‍♂️ They're just internet points, lemmy doesn't notify about up/downvotes so I will only see it if people respond. Either way it's hopefully still useful to someone else looking at the post who isn't familiar with basic permissions or acl

[–] mvirts@lemmy.world 1 points 1 year ago (1 children)
[–] yum13241@lemm.ee 1 points 1 year ago (1 children)
[–] mvirts@lemmy.world 3 points 1 year ago

The guide has w and x switched on the left side

[–] orl0pl@lemmy.world 7 points 1 year ago (1 children)
[–] objectionist@lemmy.world 2 points 1 year ago

it’s a really awesome website

[–] PowerCrazy@lemmy.ml 3 points 1 year ago (1 children)

The only thing you need to know about file acls is not to use them. Similar thing can be said for Network ACLs to be honest.

[–] c0mbatbag3l@lemmy.world 4 points 1 year ago (1 children)

I've been a network engineer for five years at three companies and not a one has used switch or router based ACL's. It's all in the FW appliance.

[–] PowerCrazy@lemmy.ml -1 points 1 year ago (1 children)

Network ACLs are my bane. Someone long ago decided we needed to "isolate" the network, so they put ACLs everywhere and so now 50% of my teams time is spend fucking with ACLs :/ It's awful.

[–] c0mbatbag3l@lemmy.world 3 points 1 year ago (4 children)

Yeah don't get me wrong it's an excellent part of network security but if it's not defined primarily on one device it's a hassle.

load more comments (4 replies)
[–] dylanTheDeveloper@lemmy.world 1 points 1 year ago