Extended ACLS

(Note: Most of this material comes from a paper by Andreas Grünbacher of SuSE Labs. See http://www.suse.de/~agruen/acl/linux-acls/online/. It was presented (at least) at the 2003 USENIX Annual Technical Conference.

What are Extended ACLS? ACLs equivalent with the file mode permission bits are called minimal ACLs. They have three ACL entries. ACLs with more than the three entries are called extended ACLs.

What do they do for us? An example may help.

Business situation:

A possible technical solution using the traditional methods

/Project

root

Project

Other

r w x

r - x

- - -

/Project/Comments

root

Project

Other

r w x

r w x

- - -

/Project/Manual

root

Editors

Other


r w x

r w x

r - x

This solution, though reasonable, requires an extra group. More complex situations could get unwieldy. Another possibility would be to use hard links but this adds it's own set of issues.

Extended ACLs solution

Editors r w x; HR, Legal and management r - x

The added functionality of Extended ACLs allows multiple users and/or groups to be assigned differing permissions to the same file or directory and eliminates the need for creating additional groups and, in a situation like this, having to keep the 'project' group in sync when there are changes to HR, Legal or Management.

Requirements for Extended ACLs

Implementing Extended ACLs

Issues with Extended ACLs

Suggestions