DENY ACLs
Casey Schaufler
casey at sgi.com
Mon Aug 20 17:45:00 GMT 2001
Ken Cross wrote:
>
> (This is a reproduction of the mail sent to the FreeBSD lists.)
>
> Hi:
>
> The current Posix.1e ACL implementation in -current works great as far as it
> goes. I'm sure this has been kicked around before (although I couldn't find
> anything in the archives), but it seems like adding "deny" ACL's would be a
> useful and fairly straightforward extension.
>
> For those not familiar with it, deny ACL's are ACL's that explicitly deny
> access, e.g., group Accountants are allowed access, but user George is
> denied access even though he is a member of Accountants.
>
> They are used extensively in the Windows NT/2K world and I need to support
> them on a BSD platform. The implementation is pretty straightforward --
> always check deny ACL's first and then access ACL's. They'd just be a new
> acl_type_t value (ACL_TYPE_DENY?).
>
> I'd be happy to help with the implementation (especially since I'll be doing
> it regardless). Any interest or things I should know about?
User ACL entires are always checked prior to group access entries.
Thus, u::rw,g::rw,m::rw,u:george:-,g:accountants:rw,o::r
will give everyone in the group but George (it's a file
containing information about a surprise party for him, I bet)
access to the file.
In short, you don't need a deny ACL.
--
Casey Schaufler Manager, Trust Technology, SGI
casey at sgi.com voice: 650.933.1634
casey_p at pager.sgi.com Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list