12.2 Advantages of ACLs
Traditionally, three permission sets are defined for each file
object on a Linux system. These sets include the read
(r), write (w), and execute
(x) permissions for each of three types of
users—the file owner, the group, and other users. In
addition to that, it is possible to set the set user
id, the set group id, and the
sticky bit.
This lean concept is
fully adequate for most practical cases. However, for more complex
scenarios or advanced applications, system administrators formerly
had to use a number of tricks to circumvent the limitations of the
traditional permission concept.
ACLs can be used as an extension of the traditional file
permission concept. They allow assignment of permissions to
individual users or groups even if these do not correspond to the
original owner or the owning group. Access control lists are a
feature of the Linux kernel and are currently supported by ReiserFS,
Ext2, Ext3, JFS, and XFS. Using ACLs, complex scenarios can be
realized without implementing complex permission models on the
application level.
The advantages of ACLs are evident if you want to replace a
Windows server with a Linux server. Some of the connected
workstations may continue to run under Windows even after the
migration. The Linux system offers file and print services to the
Windows clients with Samba. With Samba supporting access control
lists, user permissions can be configured both on the Linux server
and in Windows with a graphical user interface (only Windows NT and
later). With winbindd, part of the samba suite, it
is even possible to assign permissions to users only existing in the
Windows domain without any account on the Linux server.