[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACIs and OL 2.3



Quoting Piotr Wadas <pwadas@jewish.org.pl>:

>> I think this is the very important part here -- deprecated and discouraged.
>> I'd argue that long term, ACI support should be removed entirely (perhaps for
>> 2.5?).  The entire concept of ACI's is broken.
>> 
>
> Is it really so bad? I mean, I actually don't now, you're probably
> right if you say so, anyway I'd really regret such feature to be
> discontinued. I was testing it very long ago, and, nevertheless its
> complexity and its experimental flavour, the concept itself 
> was very exciting.

I've been using it successfully for years on my production machines.
Granted, it's a mess to work. But so is everything if you don't have
the right tools...

> I was hoping someday this will be implemented
> in tested/documented and stable version.

So did I.

> Imagine that someone could say, that "the entire priviledges and 
> ownerships concept in Unix is broken", wouldn't that sound a little
> bit em. weird? :)

No, because 'everyone' have said it for years :)

That's why they invented ... whats-the-module that do ACL in filesystems...
Haven't compiled a kernel in quite a while, but there IS an option (and
have for quite a number of years) that gives MORE (MUCH more) control
to the administrator.

And in AFS (which I use extensivly), there's ACL's as well...

UNIX access control is _horribly_ broken. BUT, and I would like to plea
to the OL developers. Don't remove something like OpenLDAPaci without
having a replacement! Even though it might be bad, it's the only thing
usable (I'm not going with the ACL because _that_ I find broken! :).

Static access control!? You got to be kidding...

> what could do the work
> better than such (actually simple in its basics) concept ?

Basically anything for someone with a dynamic environment...
But let's not go there...