ACL On Linux like Windows Permissions
Is there something for Linux where you have more advanced controls for linux permissions on users and groups like Windows. Is that what SeLinux is about?
The POSIX ACL format is mostly just an extension to allow specifying the read/write/execute permissions for several users:
$ setfacl -m u::rw,u:httpd:r,g::- ssl.key$ getfacl ssl.key# owner: root# group: rootuser::rw-user:openldap:r–user:httpd:r–user:postfix:r–group::—mask::r–other::—
Inheritance is done using “default ACLs”:
$ getfacl /var/log/journal/# owner: root# group: systemd-journal# flags: -s-user::rwxgroup::r-xother::r-xdefault:user::rwxdefault:group::r-xdefault:group:adm:r-xdefault:group:wheel:r-xdefault:mask::r-xdefault:other::r-x$ touch /var/log/journal/test$ getfacl /var/log/journal/test# owner: root# group: systemd-journaluser::rw-group::r-x #effective:r–group:adm:r-x #effective:r–group:wheel:r-x #effective:r–mask::r–other::r–
On the other hand, the NFSv4 ACL format would be very similar to that of Windows & NTFS – slightly different principal names (using NFSv4-style user@domain rather than Windows SIDs or DOMAINname), but almost identical permission flags.
Both ACLs and basic Unix permissions are a “discretionary access control” tool – they’re generally set by the object’s owner; if you create a file, you can make it readable to anyone. SELinux, meanwhile, is an implementation of mandatory access control – all SELinux rules are written by the system administrator and cannot be changed by users, even for files they have created. Other such systems are AppArmor, SMACK; Windows Vista has a very basic scheme called Mandatory Integrity Control.