DENY ACLs

[Casey Schaufler]

Ken Cross wrote:
> 
> (This is a reproduction of the mail sent to the FreeBSD lists.)
> 
> Hi:
> 
> The current Posix.1e ACL implementation in -current works great as far as it
> goes.  I'm sure this has been kicked around before (although I couldn't find
> anything in the archives), but it seems like adding "deny" ACL's would be a
> useful and fairly straightforward extension.
> 
> For those not familiar with it, deny ACL's are ACL's that explicitly deny
> access, e.g., group Accountants are allowed access, but user George is
> denied access even though he is a member of Accountants.
> 
> They are used extensively in the Windows NT/2K world and I need to support
> them on a BSD platform.  The implementation is pretty straightforward --
> always check deny ACL's first and then access ACL's.  They'd just be a new
> acl_type_t value (ACL_TYPE_DENY?).
> 
> I'd be happy to help with the implementation (especially since I'll be doing
> it regardless).  Any interest or things I should know about?

User ACL entires are always checked prior to group access entries.
Thus, u::rw,g::rw,m::rw,u:george:-,g:accountants:rw,o::r
will give everyone in the group but George (it's a file
containing information about a surprise party for him, I bet)
access to the file.

In short, you don't need a deny ACL.

-- 

Casey Schaufler				Manager, Trust Technology, SGI
casey at sgi.com				voice: 650.933.1634
casey_p at pager.sgi.com			Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message