How to meet typical requirements for granular file permissions?

[ineloquucius]

Simply specifying owner & group, and then lumping the rest of the known universe into "other" obviously wouldn't cut it in most organizations. So how do admins usually address, say, the following kind of requirement:

Accounting's Bob owns file Foo. Bob has given everyone in his group (you guessed it, "accounting") rw_ permissions to Foo. But he needs to let Alice (how'd you know I was going to say Alice?) read (r _ _ permission) Foo, but no one else . Furthermore, Alice should not have any permissions on all other "accounting" files.

This a very typical situation, and one that basic linux permissions don't seem to address. Are ACL's the answer? Are ACL's then used in nearly every server in every org, or are their many such solutions to choose from?

[PerlCoder]

I'm no system admin, but yes, that is what ACLs are for. Here's an intro: POSIX Access Control Lists on Linux

I think though, that you could accomplish the same thing with traditional Unix file permissions -- but over time it would be a lot more work and administration. Say, for example, you could create one top level directory that has r-x permissions for everybody, create a personal group just for alice, and then create a subdirectory with r-x permissions just for Alice's group. And put the file inside that directory with r-- permissions only for her and her group.

Here's a better explanation (as I understand it): Clarification on Linux or Unix Directory Permissions: Permission Inheritance - Site Blog

Anyway, you can see how directories and groups could become very numerous and difficult to manage.