[plug] Linux and ACLs - practical experiences?

Denis Brown dsbrown at cyllene.uwa.edu.au
Tue Jan 6 07:34:59 WST 2004 

Dear PLUG list members,

I would appreciate comments from people who are using Linux ACLs in the
wild for situations involving a mixed Linux / Windows environment.   Mr
Google is friendly on the theory side but not yet seen any comments on:

1) performance hit on the (Linux) server through implementing the kernel
patches
2) whether implementing ACLs in SaMBa is better than implementing in the
kernel
3) how fine-grained can control be implemented at file level
4) gotcha's.

To put this in perspective:
Linux server, SMP kernel if that makes a difference.
Several Linux workstations connect to this server.
Several Windows boxes connect to this server.
Windows-based backup of data areas - DON'T ask!!
Users (on the Windows' boxes) need to have private file/directory space as
well as shared access to common areas on the server.
Eventually there may be a second server, also Linux, in this setup so easy
admin. is a key point.

To clarify the data side, two main research groups will have their data
stored on the server each under control of their own "boss".   Boss1 needs
r/o access to Boss2's area and vice versa for the purposes of melding
their data for subsequent analysis.  Researchers from group 1 need to be
able to contribute to (write) and analyse (read) the data owned by that
group and same for group 2.   All these are for Windows-based users.   My
Linux workstation users can have pretty much free reign to the server
within their group.

There may be some senior researchers in group 1 who will eventually need
read or even read-write access to group 2's data pool and vice versa.
Ideally I want to disallow deletion between groups - in other words I
want to prevent accidental erasure of group 1's data by a group 2 person
(eg senior researcher) and vice versa.

In addition, Boss1 wants his secretary (Windows user) to have free reign
to all his files.   At least he hasn't asked for this server to be their
mail server as well!

Finally I want to be able to easily administer who has access to what,
easily add new researchers, quickly re-assign a person's rights if they
change research role etc, without this becoming and admin nightmare.

My initial thought was to set up (Linux) groups to reflect the roles that
each person played  - Boss, Senior researcher, data entry pleb, etc. and
assign rights based on that model.   But if I want finer-grained control
than that, I am starting to wonder if this is not a headache in the
making.

Defining file and directory permissions under SaMBa may be the way to go,
especially as I have a need for SaMBa anyway for Windows box connectivity
and that don't-ask, the Win-based backup!   I will freely admit to greater
expertise on the Windows side (NT4) in repect of permission sets as to
date all my Linux work has been in comfortable trusted environments :-)
Under Windows I would set up a directory heirarchy and assign permissions
to groups of users (and / or individuals) as well as setting up groups to
which the various users can belong.   Maybe I'm making too much of this -
can't see the woods for the trees on the linux side?

So, practical experiences welcome!   If there is sufficient interest I am
happy to summarise.
Denis

More information about the plug mailing list