ACLs: Group permission test
Andreas Gruenbacher
a.gruenbacher at infosys.tuwien.ac.at
Wed Oct 6 15:52:21 GMT 1999
POSIX 1003.1e Draft Standard 17 document,
23.1.5 ACL Access Check Algorithm:
The access rights of a group are determined (how I read it) as follows.
(The ACL_MASK_OBJ msquerading is deliberately left out of this
simplified version.)
- Find an ACL_GROUP (or ACL_GROUP_OBJ) entry that has the
appropriate permissions set.
- If such an entry exists, grant the requested access.
- If such an enttry doesn't exist, deny access.
On the other hand, the Solaris implementation goes as follows:
- Accumulate all permissions of all matching ACL_GROUP and ACL_GROUP_OBJ
entries.
- If the accumulated rights include the permissions requested,
grant access.
- else, deny access.
This subtle difference may lead to the following problem:
A process requests rwx access. There are matching entries that
grant the process r-x and rw- access. In the POSIX version,
access is granted. In the Solaris version, access is denied.
Is this deliberate?
I don't understand the advantage of the POSIX aproach, apart
from maybe being a couple of CPU cycles faster.
And ideas?
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, Vienna University of Technology
a.gruenbacher at infosys.tuwien.ac.at
Contact information: http://www.infosys.tuwien.ac.at/~agruenba
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list