I’m a Unix person. I learned Unix a while before I learned Windows. Lately, at my job, I’m feeling like I could replace myself with a shell script that periodically sends out emails saying “Unix groups don’t work that way” to Windows users who ask me to do stuff with file permissions for them. They ask for stuff like “give these two members of the group write access, but everybody else in the group read-only”, and I have to tell them Unix groups don’t work that way (I take it this is possible with Windows access control lists).
I would like to learn more about access control lists, so I know better where they’re coming from. Could anyone recommend a good website or book on the subject, or try to explain it to me?
I think of them as an arbitrarily long list of permissions in the form of “X can/can’t do Y” to the parent object, which is typically a file or directory. X is a specific user or group. Y is a permission, like read, write, append, execute, etc. You can create a much more complex specification of access rights than you can with traditional Unix permissions. The downside is that they can be difficult to understand and decode by humans, and they aren’t as efficient as traditional Unix permissions.
While Unix groups don’t work that way, you can get that behavior from POSIX ACLs. Linux, at least, seems to support them with getfacl(1), setfacl(1), and acl(5) being the relevant manpages.