Re: ACL complexity

[Bruno Haible]

Paul Eggert wrote (when talking about libxattr and such):
> No kidding. This stuff is waaaayy too complicated.

More generally, I find the semantics and the syntax of ACLs on most
systems to be more demanding than what the average command-line user can
grok. While for random features of the OS this would just be a nuisance
that can be ignored, for a feature with impact on security this is a
major problem.

What I mean is:

1) The syntax.

# getfacl /tmp/file
getfacl: Removing leading '/' from absolute path names  (<< what is this about?)
# file: tmp/file
# owner: test1
# group: test
user::rw-
user:test3:rw-
group::rw-
mask::rw-
other::---

A sysadmin may understand this, but an average command-line user won't.

Suggestion: Add a mode to 'ls' (not to getfacl, because average users
know about 'ls' only) that displays the same info with explanations.
It doesn't matter if the output is 25 lines instead of 8 lines, in this
mode.

2) The semantics.

What are "effective" permissions
https://tylersguides.com/guides/linux-acl-permissions-tutorial/ ?

Suggestion: Provide a kind of "testing toolbox" to the users, which they
can use to simulate what happens when someone tries to access an existing
or new file, after they have set specific permissions and ACLs.

Bruno