Ubuntu Wiki

• Launchpad Entry: https.launchpad.net/distros/ubuntu/+spec/acl-onbydefault

• Created: 2006-04-20 PeterVanderKlippe

• Contributors: PeterVanderKlippe, AnteKaramatic

• Packages affected: All

  • naultilus
  • eiciel
  • tar
  • cpio
  • zip

Summary

Lets turn access control lists (ACL) on by default for Ubuntu. Part of the original outline for Edgy is to try new things. Not just optionally installable, as it is now (in dapper, others?) but make it the default way edgy deals with permissions.

Quote:

And that's exactly what we hope the development team will do with Ubuntu 
during the Edgy cycle - explore slightly unfamiliar and uncharted territory 
that is perhaps a little out of the mainstream. 

Nautilus acl and xattr control panel:

http://rofi.pinchito.com/eiciel/

Rationale

1. Much better permission control then any other system.
2. Easy to implement, we just need to enforce it for the whole OS. (the entire main-universe-multiverse-restricted software set)
3. Can be very easy to use, yet extremely powerful.

Use cases

Any user that needs better permissions control then the simplistic "user,group,others" unix file permissions.

Bob wants to block his mother from seeing certain files on his machine, but wants to share them with his siblings.

A need to block or allow a very specific set of users or groups access to files or folders.

Password Protection of Folders Possible: This could be used to provide password protection of folders. By making a folder (and all its contents) owned by a new "username-protected" user, and a simple nautilus extension you could protect a easily password protect a folder.

• This needs a extension for nautilus that checks to see what permissions you need to do something to a folder. (i.e. on a root owned folder, asks you for the root password to preform an operation)
• When nautilus detects a folder/file owned by the "currentusername-protected" user it will prompt the current user for their password, and then allow access.
• ACL's would be beneficial in this as you could use it to define exactly what users and groups access the folder.

Scope

Design

1. Patch/fork eiciel/nautilus to use ACL as the default permissions.
   1. Change tab name to Permissions
   2. Develop prompt to apply permissions recursively, if desired.
2. Turn on ACL support for all drives. (/, hoacl, boot/, everything)
3. Possibly make another tool to do advanced acl management.

Implementation

1. Needs recursive application of permissions. This is a seperate bug in nautilus that needs to be fixed.

Code

Data preservation and migration

BoFstanding issues

BoF agenda and discussion

• I'm not saying that all the files installed by Edgy should have acl's attached to them, I just want the possibility to be easily accessible for users if they want. (and all installed programs to be able to work with, and respect the ACl's) If the user wants an ACL on a folder or a file, he applies one, and it just works. Otherwise the file remains without an ACL and functions according to the Unix default. -- PeterVanderKlippe 2006-04-20 15:16:51

• to make sure this is easy to do, there should be an option in the "permissions" tab that actually removes the acl from the files selected. The user will not know this, but this gives the ability to strip the extra information from the file if it is necessary. ("Default permissions" button?) This stripping the file of the acl will revert it to the Unix style permissions and allow the system to function as before. -- PeterVanderKlippe 2006-04-20 15:16:51

• Please don't kill this idea just because ACL's can be confusing. They are a better permissions control system and will be useful for users. There just needs to be a little work put into polishing the tools. And a distro that supports ACL will greatly help. -- PeterVanderKlippe 2006-04-20 15:26:37

• Added password protection of folders section -- PeterVanderKlippe 2006-04-24 14:07:26

CategorySpec