ACLs: Group permission test
Andreas Gruenbacher
a.gruenbacher at infosys.tuwien.ac.at
Wed Oct 6 23:11:29 GMT 1999
James Buster wrote:
>
> On Oct 6, 5:52pm, Andreas Gruenbacher wrote:
> } Subject: ACLs: Group permission test
> } POSIX 1003.1e Draft Standard 17 document,
> } 23.1.5 ACL Access Check Algorithm:
> [deleted]
> } - Find an ACL_GROUP (or ACL_GROUP_OBJ) entry that has the
> } appropriate permissions set.
> } - If such an entry exists, grant the requested access.
> } - If such an enttry doesn't exist, deny access.
>
> This is not how the access rights of a group is determined, it's how
> the access rights of a process in multiple groups is determined. The
> actual Posix language is as follows:
Sorry I was not very precise. I just tried to pack the same message
in different words. Of course I meant the permissions a process gets.
>
> Rights accumulation is explicitly not allowed.
>
> [...]
>
> } A process requests rwx access. There are matching entries that
> } grant the process r-x and rw- access. In the POSIX version,
> } access is granted. In the Solaris version, access is denied.
>
> This seems backwards. In Posix, access is not granted. In Solaris, it is.
I seem to have been slightly confused...
> [...]
>
> It doesn't have unintended consequences. If you do access accumulation
> like Solaris does, it becomes too easy to inadvertantly grant access that
> wasn't intended by the person setting the ACL.
>
I still find this a very strange definition. Accumulation is what
everybody and their dog would expect, yet POSIX is different.
Standards are strange...
Andreas
------------------------------------------------------------------------
Andreas Gruenbacher, Vienna University of Technology
a.gruenbacher at infosys.tuwien.ac.at
Contact information: http://www.infosys.tuwien.ac.at/~agruenba
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list