[mananaysiempre]

I recently got to reading the POSIX.1e (MAC & DAC) draft, and the DAC = ACL part is... surprisingly non-terrible. Still awkward and hampered by its existence as barely-visible metadata smeared over the whole system, as all ACLs are, but not at all the hopeless mess I expected coming from NT. (Even that might’ve been salvageable had Microsoft been willing to publish full documentation of all NT object permissions and mechanisms. Except SDDL, there is no world in which SDDL is salvageable.) Couldn’t make heads or tails of the MAC part, though.

The /etc/sudoers solution does have a usability advantage precisely in not being smeared all over the system. Even if “/etc/sudoers” and “usability” are words not often seen inside a single sentence.

[Zurrrrr]

> smeared all over the system

I mean, ACL data is normally stored in filesysem metadata, nothing is 'smeared'.

[mananaysiempre]

If you as an administrator want to see where you have granted additional funny permissions, with ACLs your only recourse is to getfacl everything on the filesystem, whereas with sudo everything is listed in /etc/sudoers and classically the group membership in /etc/passwd gives you a pretty good idea. I don’t know if that’s a reasonable thing to want, actually, but it is one that makes me mildly unconfortable with ACL systems in general.