not quite - the owner of the file may change the group ownership to
any other group that the owner is a member.
It does require root to change a file group to a group the owner is
not a member of.
>Why ACLs are bad:
ACLs alone are not enough. ACLs alone allow a user to grant
access to any other user/group. For situations that require a fence
between users (ie. accounting/parts inventory) only a mandatory
access control (MAC) would be able to prevent such improper
data sharing. It is also a problem in government use. At least on
large, shared resource systems.
Putting users in disjoint group memberships accomplishes this.
Providing ACLs can allow improper sharing since that is a descretionary
permission.
Mitigating factors:
Adding MAC restores facility control, and still allows the user
some flexibility to create ad-hoc groups within an administratively
defined population group.
The normal UNIX solution is to have multiple systems, each dedicated
to a relatively small population where any user is authorized to access
data on that system (this is where limited groups come in), but owners
of the data may provide a more restricted access.
Having dedicated resources corresponds to the MAC access control.
Having owner/group/world access controls (and/or ACLs) provides
the owner with a descretionary access control for the administratively
controled population of users.
A large resource usually has to be shared (wind tunnel simulations,
finite element analysis of different structures, large inventory
management...). And sharing doesn't necessarily involve sharing
data.
-- ------------------------------------------------------------------------- Jesse I Pollard, II Email: pollard@navo.hpc.milAny opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/