While the traditional user/group/world permissions structure is adequate for many systems, there are times when more fine-grained control is required. This may be handled by using Access Control Lists (ACL). ACLs are implemented using the extended attributes available in various filesystems and are available by default in the EXT filesystems normally used in Debian Linux. The details may be found in the Debian ael package. In particular, check out the manual pages for the getael, setael, and ehael commands.
While ACLs are useful, there are some issues to be aware of. For example, most graphical file managers do not support them, and some utilities (EMACS comes to mind) clear the file ACL list when updating a file. This can be addressed somewhat by setting a default ACL for the directory, but non-default file ACLs will still need to be reconstructed ifthey are lost. Another issue is performance. On some filesystems, the existence of an ACL delays the initial file access due to the additional access verification required. Since this occurs only on the initial access, its impact is often minimal in practice. Finally, there is the issue of backups when you use ACLs. Most backup utilities now recognize ACLs. In Debian Linux, both rsyne and tar now have options to allow them to recognize and back up ACLs, but they are only handled ifyou use the proper command options. The EXT backup utilities dump and restore also handle ACLs. However, some utilities may not recognize or handle ACLs properly, so always check the package documentation and manual pages if you use Access Control Lists.
Note that, if you do use ACLs, you are not reqtrired to use them for all mes and directories. It is quite possible to set them on only those files and directories that need them. Judicious use of file ACLs and default ACLs set for certain directories will help streamline ACL management.
