Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Microsoft Operating Systems BSD

TrustedBSD Supports Windows NT ACLs With Samba 82

Anonymous Coward writes "Chris Faulhaber, one of the TrustedBSD developers, announced on the trustedbsd-discuss mailing list that Samba's POSIX.1e ACL support is now working on FreeBSD 5.0-CURRENT, and even has a screen shot. This has been a high-demand feature, apparently, and could be a big selling point for sites currently running Windows NT as their enterprise operating system.

Date: Tue, 24 Apr 2001 19:17:52 -0400
From: Chris Faulhaber <jedgar@fxp.org>
To: trustedbsd-discuss@TrustedBSD.org
Subject: Native ACL support for Samba

With the release of Samba 2.2.0, samba offers ACL support to remote clients. I just committed the changes to the FreeBSD CVS tree required to allow Samba to access the FreeBSD ACLs. With an updated -current system and samba-devel port (define WITH_ACL_SUPPORT), Windows NT 4.0 and 2000 clients can now remotely manipulate ACLs. Testing and comments are appreciated.

In addition, the ACL utilities, getfacl and setfacl, have been updated to fully make use of the ACL editing library. They should compile on most ACL-enabled systems (tested on Linux + ACL patches) with little or no change."

This discussion has been archived. No new comments can be posted.

TrustedBSD supports Windows NT ACLs with Samba

Comments Filter:
  • How ironic -- in a story about TrustedBSD, you post your resume in M$ DOC format ;). Kidding aside, I'm also looking for a new job [vt.edu], in Web Development.

    Alex Bischoff
    ---
  • +1 Insightful?

    I don't even know what he's talking about with the anti-american stuff.

    +1 Insightful

    Metamod to the rescue!

    Down that path lies madness. On the other hand, the road to hell is paved with melting snowballs.
  • The VNC server for Windows is inefficient because it scans the screen for changes rather than working as a display driver and intercepting graphics calls. The original author (hi Tim) couldn't find a way to make it work as a driver in the limited time available to him.
  • btw, unix file control is a bit too broad without ACLs, at least in a fileservice role. ACLs are too complicated and annoying in dedicated roles (like webservice, DB, bastion host, etc) but for fileservers they're really handy.

    I'd like to see even more options ala VMS or Novell, with read, write, execute, delete, modify, etc.. As an add-on of course, though an open-standard add-on (which is a big problem with ACLs: they're not standard yet :p)

    Your Working Boy,
    - Otis (GAIM: OtisWild)
  • by Ed Avis ( 5917 ) <ed@membled.com> on Wednesday April 25, 2001 @05:07AM (#266395) Homepage
    What's the state of ACL support with Linux? I heard that they were kinda-supported in 2.2 but not stored in the file system - what's it like with 2.4, and can Samba use them?

    Is this a first for TrustedBSD, or can you get the same ACL support with Solaris, Linux or other 'nixes?
  • Ummm, correct me if I am wrong, but Linux was created my a non-American, and many many of Linux developers are non-American. Its the same thing on the BSD side as on any other open source OS. Its kinda dumb for a so called expert to have these feelings towards BSD for this reason but not towards other open source OSs and especally not towards closed source OSs. If you want to look for backdoors, the source is right there. If you think that someone has snuck backdoors into code that hundreds of people look at, you are kidding yourself. You should be more worried about those closed source OSs and programs which in the past have had backdoors. OpenBSD has been auditied to a great degree, which is more then what I can say for the Linux distributions or NT. I guess you are risking your income anyways recommending Linux or any piece of software that could have backdoors or simply security holes.

    Matt
  • Why, could you back up your claim? What do you use instead of Samba on your company's unix box? I am guessing that you have never tried the BSDs and are a Linux newbie user or Windows 98 user. I guess that is all we can expect from an Anonymous Coward.
  • Does anyone actually bother to use them?

    They are a pain to manage.
  • by Jeremy Allison - Sam ( 8157 ) on Wednesday April 25, 2001 @08:29AM (#266399) Homepage
    The problem with the NetApp implementation is that if you change the unix perms it blows away the set NT perms. The solution I coded for Samba maps the NT perms into POSIX ACLs so the two co-exist.

    Of course the NetApp solution gives full NT ACL semantics, whereas the Samba solution doesn't, but I think the Samba solution gives better UNIX/NT integration.

    Also I don't know any NT admins who understand the full NT ACL semantics :-) :-).

    Cheers,

    Jeremy Allison,
    Samba Team.
  • by scrytch ( 9198 ) <chuck@myrealbox.com> on Wednesday April 25, 2001 @07:29AM (#266400)
    > In my experience, most users of NT-based systems do not use ACLs

    Correct, admins use them, and when done properly, the users never know differently. Users still have uses for ACL's too, and it's really this simple, a question I got at least once a week when doing support for Sun: how to share some files of yours with a co-worker so he can read them but not change them, and with another co-worker that can read and write them (or some other combination of accesses). Answer: set up an ACL (no, we do not create groups every time there's a request for this kind of sharing). Thankfully dtfm could do one thing right, and that was manage ACL's with slightly less pain than manually using setfacl.
    --
  • My totally uninformed and madly speculative opinion is that it's like the POSIX layer in Windows NT - no one ever uses it, but it was added to achieve sufficient buzzword compliancy and allow sales to organizations which required support for that particular standard even if they didn't use it. I'm not saying that was the sole motivation behind this development, but it didn't hurt :)

  • It looks to me like NT 4.0 with either the Plus Pack installed or IE 4 w/Active Desktop, or both. Or, it could be a very early (read "smuggled") build of NT 5.0. They had NT 5 on display at ITEC in early 1998, and it looked like that, with the Win98/Plus Pack "sexy" icons.

    --
  • by bnf ( 16861 )
    Oh, oh, oh PLEEAAAAASSSSSSSSE hiiiiiiiiiiiirrrrrrreeeeeee me [bnf.net]. I am so lonely here in my house. There is very little for me todo except surf the web and wait for the phone to ring. Oh my life is so lonely. I wish I could be a productive member of society but instead I sit here and need to dream up sapm to ship into /. Please help me help our economy turn around.

  • If you have that many WindowsNT/2k file servers maybe you should be looking at something like a NetApp, rather than something like turning thme into a bunch of Linux boxes.
  • What about things like win2k logons/remote access?

    Samba has offered working as a PDC and offering Login-into-domain functionality (tested by me on Win95 / Win98 boxes) for ages. This is what defines what Unix user you create files as on the Samba share etc. and accordingly your permissions.

  • Did you read the story, you know the words at the top of the page? This story is about Samba using TrustedBSD's ACLs. Linus' Linux doesn't even support ACLs without flaky, third-party patches. The Extended Attributes and Access Control Lists for Linux FAQ [bestbits.at] says:



    Q10 When will Posix ACLs be part of the kernel?


    There are multiple steps to getting ACLs into the kernel. The first step, which we are heavily debating on the mailing lists right now, is how to design the system call interface for extended attributes and ACLs. The next step will be to include the extended attribute code into the kernel, or create even better extended attribute code for that purpose. Then, on top of that, we can include ACLs for the ext2 and ext3 filesystems. Other filesystems such as XFS be able to support ACLs directly, without needing extended attributes.


  • Sorry everyone but I don't have the bandwidth to serve the ACL screenshot to the world (was not expecting to be slashdotted :/). Mirrors welcome, though.
  • NT 4.0 sp6
  • If it's just file server space you're talking about, maybe you should consider something like a NetApp Filer. Native support for both NT ACLs and unix-type security as well, and you can get something like a terrabyte in a rack.
  • Some people may be seen as anti-american, just because some of you guys are so america-centric. That's always been a source of various reactions in the other country of the world (remember, the US is not the main part of the world ;) ).

    Maybe they are simply america-independant people, don't you think so ?

    Maybe you would think that they are pro-communist people, because you would like to (even if it's a non-sense to categorize people just by their political group).

    Maybe the truth is that they don't care at all about such consideration... maybe they just want to develop their OS, with people motivated to participate, regardless of their country of origin or politic feeling.

    If a russia OS was ever given to you with full source code, and if it was far better that any other OS known to the US. Would you even consider it?

    Don't base your judgement on political/geographical propaganda.
    You are a tech guy, that's your job. Look at the technical merits of the OS. If you want to, audit the products, or ask an american security auditing companie to do so. Every one would benefit.

    Do you know that some major american-grown products did have backdoors (Interbase comes first to my mind)? what does this inspire you?

  • The solution to the problem is to tell the authors (which he did) that they messed up a tag. "Better" browsers don't automatically correct mistakes so that the author doesn't continue to produce those mistakes. Otherwise there is no consistency as to how -correct- HTML is rendered.
  • I hope someone closes the italics tag kind of quickly, because it's tiring to read all of Slashdot with emphasis.

    READ MORE! 289 of 500 comments, dammit!

    Cheers,
    levine
  • Interesting since for me Netscape 4.x was rendering it properly and IE (what ever is included in WindowsME) was showing it all in italics !
  • Actually, I did get one job offer largely because my resume was in a non-standard format. The Lead Software Architect recognized that my PDF resume was a TeX document. Little things that catch the attention of those literate in such matters CAN make a difference.
  • ACLs are most commonly associated with Trusted Operating Systems (Where TrustedBSD gets it's name) ala the rainbow series of books.

    The NSA's SE Linux [nsa.gov] has been covered here many times.

    Also mentioned in the past is PitBull from Argus Systems [argus-systems.com] (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution [argusrevolution.com].)

    And Sun also already has a Trusted Solaris.

    There's others as well.

    It occurs to me that you might have meant is it a first to provide ACL support via Samba, in which case I appologize. This was of course already answered by someone else.

    --

  • What are you sorry for? I clearly referred to OpenHack III and not the InfoSec/London challenge.

    The flaw in the OS isn't Solaris specific. Any x86 OS is/was potentially at risk.

    For info on the LDT vulnerability, see this NetBSD Advisory [netbsd.org].

    Additionally, Argus doesn't even sell a version of PitBull for Solaris/x86. Their Solaris/x86 version is only for R&D and it was the one that was used in the InfoSec challenge.

    --

  • The solution to your problems is to avoid using Netscape 4.x

    I'm sure that this doesn't matter to you, but it occasionally happens under Mozilla too.

    Better browsers end text formatting at the end of a block element such as a table.

    Is that part of the standard? I thought it was just discouraged to span formatting tags across tables, not banned.
  • I don't have a clue how to reproduce it. I'm convinced it's a bug in the Slash code somewhere. I've seen it disappear upon reloading the page, so you'll just have to hit Slashdot enough times for it to reappear. I've only seen it once about a week ago and today, and I hit Slashdot's main page about 10+ times over the course of a workday.

    If it's incorrect behavior as you say, then it's probably a Mozilla bug too, but trying to squeeze it out of Slashdot might be hard.
  • "Also mentioned in the past is PitBull from Argus Systems (I work across the street from their offices) which stood up to the OpenHack III challenge a few moths back. PitBull gives Trusted OS extentions to Solaris, AIX and Linux. (There's free non-com licenses at Argus Revolution.)"

    Sorry, their latest "Open Hack" got them hacked, and they paid the $48,000 prize. This was a couple of days ago.

    In defense of a good product, the hack was a flaw in the OS (Solaris x86) that was unpublished (but VERY nasty).
    --
    Charles E. Hill
  • Well, despite what others here think, .DOC files (95 or 97) are perfectly acceptable. You might want to consider adding an .RTF and a .TXT version.

    There are several companies that accept only text resumes via e-mail, as they are automatically 47/*filtered, filed, sorted, etc. which isn't easy with Word .DOC files. (Especially now that many companies are very wary of macros and VB Scipt.)


    --
    Charles E. Hill
  • I wasn't sure you knew about InfoSec. Ignoring the bad (InfoSec) in favor of just the good (OpenHack) is deceptive.

    Argus PB *was* hacked at OpenHack III, the hacker just missed the deadline by a couple of hours. Still, they were hacked none the less.

    I'm aware their Solaris X86 code isn't kept up to date -- it was pure foolishness on their part to run a contest then say 'well, it wasn't production code, etc.' They should have been using Solaris Sparc or Linux with their product.

    Yes, it is a good product. Nothing is perfect, but PB is many steps ahead in the security game.

    --
    Charles E. Hill
  • Why is everthing on the front page in italics, even the "Read more X out of X comments" section??
    ...and I'm not sure we should trust this Kyle Sagan either.
  • To quote: In addition, the ACL utilities, getfacl and setfacl, have been updated to fully make use of the ACL editing library. They should compile on most ACL-enabled systems (tested on Linux + ACL patches) with little or no change.

  • ...and, of course, snapshots are also supported by FreeBSD.
  • That's not VMware my friend, that is VNC. I bet he's running Windows NT on either his in machine under VMware and then using VNC to get to it, or running it on a remote machine.

    In my experiance, displaying WinNT under VNC is slow... but VNC isn't known for it's speed.

    VMware + VNC = very slow, but still useful
  • What *ARE* you Talking about ?
    I'm not going to risk my income by setting up a *BSD server with a fortune 500 company only to find out later that the system has back doors in it which allow the foreign BSD developers to access their critical data

    Of course, you would rather have American Corporations put the back doors in. They have much more interest in critical data than foreign hackers do anyways; and, as an added bonus, they could give the back doors to the Feds, so that when the SEC is investigating them for insider trading, they don't even have to LOOK for the evidence.

    I want to know if any outside and independant people have auditied the code

    I want to know if any outside and independant people have audited Windows, Solaris, or AIX and why you think that M$ Sun and IBM have motives any more pure that of "foreign BSD Developers"; Oh Yeah, corporate closed-source OS'es can't be audited, so we'll never know. Open Source OS'es have source code; if anyone ever found an intentional back-door in an Open source OS that system would be DOOMED.
    One More thing, out of which orifice did you pull these uninformed opinions ?

    -- Rich
  • I use FreeBSD, so don't let other know what I am about to say. :)

    I believe NetBSD [netbsd.org] would support all of those hardware platforms you mentioned. Unfortunately, I do not believe it has support in Samba concerning ACL's, but I do not know for certain. Check out Samba to see what OS's it supports ACL's.

    FreeBSD [freebsd.org] is mainly an x86 OS with some support for a couple of other platforms.
  • Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

    Actually, NT uses thw following method to determialternative ne your access:

    1. Work out the greatest amount of privilege you have through ACLs
    2. Work out the greatest amount of privilege you have through shares
    3. The final privilege is the most restrictive of the two above

    Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:

    * Some word processor templates are stored on a server
    * A group of users edit these templates
    * Another group of users can only read these templates
    * All other users may not view these templates at all, as they contain business sensitive information.

    A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.

    Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.
  • Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

    Actually, NT uses thw following method to determialternative ne your access:

    1. Work out the greatest amount of privilege you have through ACLs
    2. Work out the greatest amount of privilege you have through shares
    3. The final privilege is the most restrictive of the two above

    Complex huh? But we don't have to emulate the share/ACL combo on Linux. We do, however, need a system which allows for basic, realistic, access control situations:

    * Some word processor templates are stored on a server
    * A group of users edit these templates
    * Another group of users can only read these templates
    * All other users may not view these templates at all, as they contain business sensitive information.

    A simple case found frequently in many offices. But not currently handled by RWX permissions at all, which are, in essence (and excuse the French) fucking pathetic.

    Thank God the Linux ACL project is going to be one of the first Linux Security Module's for the 2.4 kernel. Thankyou SGI and everyone else making this a reality. With any luck, Linux will have a permission system that doesn't suck RSN.
  • The bottom line is: ACL's are great and wonderful and all that. Force them on every file in the system however, and you're looking for big trouble and even bigger headaches.

    Why? A single line ACL is less complex than 3 sets of rwxs bits. It seems to me ACLs are as complex as you want them to be.

  • Standard NT 4.0

    The icons are the high color icons available in Start -> Control Panel -> Display -> Effects, in the check box marked `show icons using all possible colors'.

  • Please note: this is not a flame, just an honest question.

    While adding functions to Open-Source system is certainly the whole point of FreeBSD, Linux, etc... I can't help but wonder why this particular function is interesting.

    In my experience, most users of NT-based systems do not use ACLs and never bother to set them correctly (if at all). Keeping those (unset) ACLs on a Samba-based BSD server therefore seems like a waste of time... =(

    Therefore, having Samba-based ACLs on a *BSD system seems to me totally uninteresting, except if, like a previous poster has remarked, you need some sort of TLA buzzword (Posix-compliant ACLs! Wow!) for your clueless PHB.

    Could anyone please explain the interest of such a thing? Many thanks in advance...
  • Linux was created in Finland, yes. Though the largest distributors are based in the US. (RedHat, for example) BSD stands for Berkeley Software Development, and came from Berkeley California, USA. The OpenBSD project is based in Canada at least in part because the US Crypto laws are so stupid.

    I agree with the rest of your assessment though. Ruling out Open Source on the usual corporate-think grounds is pointless.

  • by Baki ( 72515 )
    FreeBSD has had ACL's for ages. They aren't used much though, since managing ACL's is a nightmare, typically something for control freaks one finds in corporate environments.

    The only thing that has changed now is that the FreeBSD ACL's are used by Samba, so that the ACL's that Windows security uses can be provided via a Samba server running on FreeBSD.

    This might satisfy those people who want to replace their NT fileservers with UNIX/Samba fileservers, but who absolutely demand ACL's.

  • html?


    I mean, if you can read the page the link is on, then you can read the resume as well. Sounds like a good idea to me.

  • Thank you! I was trying to figure out what the hell was going on there. One little secret, though, is that he's actually pulling the whole thing off by running X off an OS/2 machine in Gdansk, Poland ;)

    --

  • This has been one reason my employer keeps arguing against linux fileservers,

    Except that:

    1) it is FreeBSD. (Now you may have said "Open Source OS" and it was heard as "linux" by others :-)
    2) it is in CURRENT.

    Somedays CURRENT works, other days not. Using current on a business critical system is life on the edge. More power to you if you live there.
  • With our current hardware, linux *could* run on all the machines

    If its an X86 machine with mainstream hardware, yes it should.

  • No, Netscape only displays what the webpage designer told it to display. If the webpage designer can't close off what he wants in italics with the tag then of course the whole page is shown in italics. What we need is better web designers not slask-assed gits who program for IE and it's slack attitude towards HTML. Even Opera displays it all in Italics. If web page designers could write webpages properly instead of expecting the browser to know exactly what you want. Then we'll all see this kind of incompatibility.
  • Yes, it is WELL supported in both 2.2 and 2.4. Check out http://acl.bestbits.at/ [bestbits.at].

    And, yes, it is supported in Samba 2.2.

    zsazsa
  • I tend to group BSD and Linux people togeather (despite the fact that many would strongly protest that) because they are the same basic type of people - out to create a good free software system and willing to get into the guts of a computer to do it. Despite being a Linux person, I will quite readily work with BSD. So you are correct, but that's how I was thinking. My apologies.
  • Yes, it is really good. There are a number of reasons for this.

    1) Linux users tend to be highly technical people, and would almost certainly find uses for ACLs. They would put in the time to understand them properly, something (I suspect) many Windows NT people don't need or want to do. So the inclusion of ACLs in Samba might actually encourage better use of ACLs overall, as the unix people see the advantage and start to educate everyone else (especially whoever maintains the NT desktops.)

    2) Corporate use is one of the key target markets for Linux, and the corporate market is a market much more likely than desktop users to want and need ACLs. The PHB will only know that it is new and cool, but the techs in the back room can put it to real use. Any selling point such as ACLs is to be desired, since use in business will provide both a steady market and educate people about open source.

    3) More power in software is ALWAYS better than less power, unless it eats an insane amount of resources. This wouldn't.

    4) It might put more pressure on the general open source population to update their permissions system, which is also a good thing.
  • Yes ACLs work great under 2.2.x and 2.4.x Linux kernels (apply the ACL patches) and with SAMBA 2.2.

    Either FreeBSD or Linux would make suitable replacements for Win2K/NT file servers in this respect.

  • *sniff* *sniff*

    There be trolls here. But given the fact there are gullible people who will buy into the conspiracy you push...

    First, take a look at:

    http://www.openbsd.org/goals.html

    Where you see how many developers of OpenBSD are in the "American" sector.

    Next, take a look at:

    http://www.openbsd.org/users.html [openbsd.org]
    http://www.netbsd.org/gallery/sites.html [netbsd.org]
    http://dmoz.org/Computers/Software/Operating_Syste ms/Unix/BSD/FreeBSD/Prominent_Users/ [dmoz.org]

    BTW, what outside independent group has reviewed M$ code, or DEC code, or Sun code, or AIX code...

    I suppose you don't consult to the feds, since they use xbsd (DOJ uses OpenBSD).

    As an expert on operating systems, you should be aware that the common commercial vendors are full of bugs and security holes. By telling your customers that they are safe because they are using American/commercial products, you are doing them a disservice.

    How could you trust the agenda of an outside independent code review. After all, they might be just as anti-American!

    I truly hope you make it as an anti-xbsd consultant. Good luck.

  • I'm too lazy to find links, but I believe that TrustedBSD is adding ACLs to FreeBSD for general use. The news today is that Samba can now manipulate those ACLs. So they are not "Samba-based ACLs", but general purpose ACLs that can be used by Samba.

    I'm told that ACLs are a Good Thing (TM), though I have no personal experience to back this up.

  • reply - fixed now~
  • by Tairan ( 167707 ) on Wednesday April 25, 2001 @05:16AM (#266447) Homepage
    at my site [johncglass.com]. Be sure to look around! I need a new job - see if you can offer me one. [johncglass.com]

  • Exactly what version of Windows NT are they running in that VMWare screenshot? Those icons look like very early 4.0.
  • This is by far one of the best trolls I have ever seen, try following the link to wagnerconsulting.com. The usa.com is a freebee mail or fake (I remember another troll who used usa.com and my favorite bgates@hell.com).

    Unfortunately the expert gave himself away early on with the non US crap and later again with the auditing - I think the auditing remark was intentional, in any case, a very creative little troll.

  • acl.shot.jpg screenshot of NT (in vmware, via VNC (from a laptop)) using Samba+ACL's under FreeBSD Removed due to lack of bandwidth
  • A friend of mine once tore his ACL playing football. The doctor told him that it was just a sprained MCL and that it felt tender near the ACL. He had surgery and was on crutches for a while. He recently tore some cartiledge in that knee too. Such is mango :-)

  • Did Slashdot's layout change to oveeuse of the itallics (&lti&gt) tag? Or did someone forget to close the tag (&lt\i&gt)?

    My whole front page is in itallics...

  • My whole front page is in itallics...

    Mine too. Fuck italics.

  • Ok. I don't know if you're serious or not. I suspect not, but I can't ignore such an absurd comment.

    Anti-american?! Are you sure that your name isn't McCarthy? What a load of drivel. Even if this were the case, then surely this should only be an issue when recommending systems to the US government, not privately held companies/corporations?

    Arguably, the US govt has made things a little difficult for any OS (open-source or not) with the crypto regulations, and this does affect secure OSes more than others. This is why ISTR OpenBSD is based in Canada.

    The reason why BSD is released under such a liberal licence is that they want high quality code. This is why some/all of the BSD network stack made its' way into the Windows NT/2k networking stack. Perhaps you advise that your clients avoid MS products, too? I know I would, but, I suspect, for different reasons. (grin)

    I cannot understand why some people have such an absurd distrust of others based on their nationality and/or political views.

    And if you're that concerned about conspiracies and smokescreens, either see a psychiatrist or look at the code yourself.

  • GAAAAAAAAAAAH I can't believe, what a moron. Just because some people are "anti-american" (just because they CRITICIZE the things they don't like instead of just saying "Hey, it's USA, I love USA, look, I have no brain, I can't think by myself!"

    Linux was created by a non-american guy. OOoooooh, I guess Linus Torvalds made a backdoor to take control of USA satellites and missiles, because he is "anti-american".

    Let's face it. That argument was REALLY stupid.
    ------------------------------------------------
    You think Bill Gates is evil?
  • I'm the network admin of a midsized govt organization and use NT ACLs extensively. This is just the kind of thing I need as a critical technology to help with my divorce/exit strategy from Microsoft. As soon as I'm comfortable with running FreeBSD 5.x-CURRENT (yeah a development release) in a production environment. I'm going to switch and never look back. I once had a FreeBSD machine (2.6) up for over a year without a reboot, so I know how good of a Unix it really is.... I'm just a bit skittish to be an early adoptor of 5.x just yet.
  • I did my last resume in Word, but I had to fuck around so much that when it came time do to the current one I just said fuck it and did it in LaTeX. And its much more logical because I can comment sections out for different versions, and I get a PDF. (sending PostScript is pushing it).
  • but really I have been arguing for an open source OS (to run practically all the machines in the server room- would make alotta things easier, right now we have: HPUX, Solaris Sparc, Solaris x86, WinNT, Win2k, etc...)

    Most people let the OS choice be driven by what the server is running, not the other way round (within certain parameters). Don't base a decision on blind religous open source reasons. If you can't come up with good reasons to change, don't.
  • hehehe..... was wonderin when someone would have a good comeback to that stupid "*BSD is dying" troll. =)

    --
    Tres_Status
  • by Zeinfeld ( 263942 ) on Wednesday April 25, 2001 @08:31PM (#266460) Homepage
    Does anyone actually bother to use them?

    I don't use them on my home machines, but I often wish I had - and that is with two users, both of whom know the root password.

    When I did sysadmin type stuff I used them extensively.

    NT ACLs are very usefull since if you run IIS the file permissions map right through to the web server.

    I agree however with a point raised by Butler Lampson several times, ACLs are a pain to manage they should not apply to files. Instead individual users should be allowed to define named access policies via an ACL and then apply the policy to the file.

    What this would mean is that if you decide to kick Alice off the system you can revoke all her ACLs at one time, or if you decide to give her special privs you can do it all in one.

  • This has been one reason my employer keeps arguing against linux fileservers, the lack of support for win2k acls.. maybe now they will think again (or come up with another argument?)

    Does anyone have any other good points (besides the obvious) for a university to switch from running windows2k/NT on its fileservers? Right now, we have nearly 20 boxes in the machine room running winNT/2k, seems like there are too many machines. What about things like win2k logons/remote access? Is there a way to manage this under linux/bsd?
  • I just read in the article it mentioned it worked on linux+acl patches, but really I have been arguing for an open source OS (to run practically all the machines in the server room- would make alotta things easier, right now we have: HPUX, Solaris Sparc, Solaris x86, WinNT, Win2k, etc...)

    With our current hardware, linux *could* run on all the machines (can BSD? I dont know. Im asking. Im not too familiar with BSD other than its another open source OS that is UNIX like)

    Im not a linux zealot, just want to know... :)

    Education is a good thing

    As for CURRENT vs Stable... if a decision were to be made today to run BSD or Linux, it wouldnt actually happen for months...I would hope that within that time a Stable version would be out to incorporate the updates...

  • Going to the directory of that link you see... acl.shot.jpg screenshot of NT (in vmware, via VNC (from a laptop)) using Samba+ACL's under FreeBSD Removed due to lack of bandwidth
  • ACLs are being used extensively by many people.
    They can be misused, make no mistake, but used correctly, they are far superior to rwx method that is the prefered by the *nix people.
  • It's nice to see ACLs finally making their way to Free Unixen and with implementations that cooperate with other OS's (including those that wouldn't return the favour.)

    I'm curious to know if there are similar projects being worked on for Linux, and if OpenBSD will eventually pick up the TrustedBSD work?
    --
    Keep attacking good things as "communist"

  • Blue Screen of Death.

    And I thought you get enough BSDs on Windoze even without the official FreeBlueScreenofDeath `service pack'.

    --

  • The trouble with ACL's on NT is that that's all you get. The vast, vast majority of files on a system don't need that kind of fine grained control, and the complexity of ACL's, in addition to the horrid file system organization of an NT system, makes security extremely tough to keep under control.

    On the other hand, posix ACL's are optional. You still get the old *nix style permission system, which is perfect for most files (/usr/bin/* for example). You simply add ACL's to certain files where they're needed and leave the rest of the filesystem alone.

    Using my home system as an example, I would probably use ACL's for all my html files, and for my cvs repository. Everything else would be left as-is.

    The bottom line is: ACL's are great and wonderful and all that. Force them on every file in the system however, and you're looking for big trouble and even bigger headaches. NT is a text-book example of bad design in this area (and maybe one or two others :-).

    --
    Damn it Jim, that's my sphincter, not a jelly donut!!!
  • Assuming NetApp would be used exclusively to provide file sharing for Windows machines, why would anyone care ?
  • The solution to your problems is to avoid using Netscape 4.x. Better browsers end text formatting at the end of a block element such as a table.
  • First of all, I'm not defending bad HTML. I am demanding standards-compliant browser behavior. From the HTML 3.2 specification (if you can even call that Netscape-accommodationalist document a specification):

    Text level elements
    These don't cause paragraph breaks. Text level elements that define character styles can generally be nested. They can contain other text level elements but not block level elements.


    Netscape clearly interpreted the rest of the table as being contained in the <I> element, in violation of the specification. Incorrect HTML, sure, but theoretically no worse than not closing your <P> tags.

    Mozilla and IE both correctly assume that the italic element ends where the table cell does.
  • The main reason that ACLs are complex on NT is not because they're ACLs, it's because the OS has a set of marketing requirements that Unix doesn't have.

    First of all, there's the partially priviledged "Power User" group. Probably a braindead idea because there's numerous priv escalation bugs to be found there (and it wasn't unitil NT5 did MS start considering Power User to Local Admin a bug!)

    Second, there's the real problem of running legacy Win95-style applications. Personally, I'd love it if Microsoft just broke these for Power Users in the same way they broke them for Users (in W2K). But those of you who are running broken apps in legacy mode (such as Nutscrape 4.x or Office 97) probably wouldn't, and neither would Microsoft because their app base is the source of their strength.

    Any old NetWare admin can tell you that ACLs are damn useful on file shares. Trying to discredit them via the abortion of NT's system files doesn't count because it doesn't apply to Unix (where there's root and there's everyone else).
  • ACLs are the only real solution for the situation where you have one group with Read Only access and another group with Read/Write access, and yet another administrative group.

    There's also the kudgyness of creating groups just to solve a particular access control problem. Have many thousand users in a directory environment, and it just doesn't scale up.

    Not to say that ACLs don't have their own problems, especially wrt to complexity. NT, for example, allows permissions on file/print shares, and those are often used instead of ACLs.

    Not to mention that network types have gotten used to ACLs since Novell 3.x back in the early 90s. It has become a checkbox feature.

The person who can smile when something goes wrong has thought of someone to blame it on.

Working...