Minor changes to my section on file system ACLs after a discussion with

chris.

Submitted by:	chris (some parts)

en_US.ISO8859-1/books/handbook/security/chapter.sgml

@@ -3466,7 +3466,7 @@ user@unfirewalled.myserver.com's password: <userinput>*******</userinput></scree
     </sect2>
   </sect1>
   
-  <sect1 id="FS-ACLs">
+  <sect1 id="fs-acl">
     <sect1info>
       <authorgroup>
 	<author>
@@ -3477,15 +3477,15 @@ user@unfirewalled.myserver.com's password: <userinput>*******</userinput></scree
       </authorgroup>
     </sect1info>
     <indexterm>
-      <primary>File System Access Control Lists</primary>
+      <primary>ACL</primary>
     </indexterm>
     <title>File System Access Control Lists</title>
 
-    <para>In conjunction with File System enhancements like Snapshots, FreeBSD 5.0
+    <para>In conjunction with file system enhancements like snapshots, FreeBSD 5.0
       and later offers the security of File System Access Control Lists
       (<acronym>ACLs</acronym>).</para>
 
-    <para>Access Control Lists extend the standard <acronym>UNIX</acronym>
+    <para>Access Control Lists extend the standard UNIX
       permission model in a highly compatible (POSIX.1e) way.  This feature
       permits an administrator to make use of and take advantage of a
       more sophisticated security model.</para>
@@ -3501,32 +3501,33 @@ user@unfirewalled.myserver.com's password: <userinput>*******</userinput></scree
       the file system.  This is supported natively in the next generation of
       the <acronym>UNIX</acronym> file system or <acronym>UFS2</acronym>.</para>
 
-    <note><para>Although possible, use of extended attributes are not recommended
-      on the <acronym>UFS1</acronym> file system.  It will lead to a downgrade in
-      performance and an increase in administration overhead.</para></note>
+    <note><para>The use of extended attributes on <acronym>UFS1</acronym> file
+      systems will lead to higher administration overhead and lower overall
+      file system performance.  <acronym>UFS2</acronym> does not have this
+      problem.</para></note>
 
     <para>To enable <acronym>ACLs</acronym> on a file system, the <option>-a</option>
       option can be passed to &man.tunefs.8; in a manner similar to the softupdates
       process:</para>
 
     <screen>&prompt.root; <userinput>umount /usr</userinput></screen>
-    <screen>&prompt.root; <userinput>tunefs -a enable /dev/ad0s2e</userinput></screen>
-    <screen>&prompt.root; <userinput>mount /dev/ad0s2e /usr</userinput></screen>
+    <screen>&prompt.root; <userinput>tunefs -a enable /dev/<replaceable>diskNsNx</replaceable></userinput></screen>
+    <screen>&prompt.root; <userinput>mount /dev/<replaceable>diskNsNx</replaceable> /usr</userinput></screen>
 
-    <para>This assumes that <filename>/dev/ad0s2e</filename> is the
+    <para>This assumes that <filename>/dev/<replaceable>diskNsNx</replaceable></filename> is the
       <filename>/usr</filename> partition.</para>
 
-    <para>Now the <filename>/usr</filename> file system should have <acronym>ACLs</acronym>
-      enabled at every &man.mount.8;.</para>
+    <para><acronym>ACLs</acronym> can also be enabled by passing the
+      <option>-o acls</option> argument to &man.mount.8;:</para>
 
     <para><acronym>ACLs</acronym> can also be enabled by passing the <option>-o</option>
       flag to to &man.mount.8; with the <option>acls</option> option:</para>
 
-    <screen>&prompt.root; <userinput>mount -o acls /dev/ad0s2e /usr</userinput></screen>
+    <screen>&prompt.root; <userinput>mount -o acls /dev/<replaceable>diskNsNx</replaceable> /usr</userinput></screen>
 
     <para>This flag can also be set  in <filename>/etc/fstab</filename>.
       It is recommended to use the former over the later to avoid remount
-      issues with the root (<filename>/</filename>) file system.</para>
+      issues with the root file system.</para>
   </sect1>
 </chapter>