Technically, this is also possible by creating extra groups, but this kind of access control presumably exists because the old-school method can be a pain to administer. Choosing group names can also be an “interesting” secondary challenge.
i.e. Dude’s not going to be best pleased if they ls -l and see the group on the file is xyzgroup-but-not-dude even if it is with good reason. (Shouldn’t have deleted the database, dude.)
I don’t really think that that’s a realistic goal for ACLs. I mean, getfacl showing the user specifically being excluded probably isn’t any more-polite.
Technically, this is also possible by creating extra groups, but this kind of access control presumably exists because the old-school method can be a pain to administer. Choosing group names can also be an “interesting” secondary challenge.
i.e. Dude’s not going to be best pleased if they
ls -land see the group on the file isxyzgroup-but-not-dudeeven if it is with good reason. (Shouldn’t have deleted the database, dude.)I don’t really think that that’s a realistic goal for ACLs. I mean,
getfaclshowing the user specifically being excluded probably isn’t any more-polite.In a previous life (in the 90s) I was a un*x sysadmin, and ACL is nightmarish in big company, I hated it and avoided it