Ken Cross kcross at
Mon Aug 20 18:11:34 GMT 2001

The process must apply to groups, too.

For example, suppose the user is a member of GroupA which is allowed access
and also a member of GroupB which is denied access, e.g. "setfacl  -m
g:GroupA:rwx,g:GroupB:-  file".  (There's no user-specific ACL.)

All "deny" ACL's must be checked first, so the user should be denied.  Under
the current scheme, I think the "best match" would allow access.

Good thought, though.  Thanks.


> Ken Cross wrote:
> >
> > (This is a reproduction of the mail sent to the FreeBSD lists.)
> >
> > Hi:
> >
> > The current Posix.1e ACL implementation in -current works great as far
as it
> > goes.  I'm sure this has been kicked around before (although I couldn't
> > anything in the archives), but it seems like adding "deny" ACL's would
be a
> > useful and fairly straightforward extension.
> >
> > For those not familiar with it, deny ACL's are ACL's that explicitly
> > access, e.g., group Accountants are allowed access, but user George is
> > denied access even though he is a member of Accountants.
> >
> > They are used extensively in the Windows NT/2K world and I need to
> > them on a BSD platform.  The implementation is pretty straightforward --
> > always check deny ACL's first and then access ACL's.  They'd just be a
> > acl_type_t value (ACL_TYPE_DENY?).
> >
> > I'd be happy to help with the implementation (especially since I'll be
> > it regardless).  Any interest or things I should know about?
> User ACL entires are always checked prior to group access entries.
> Thus, u::rw,g::rw,m::rw,u:george:-,g:accountants:rw,o::r
> will give everyone in the group but George (it's a file
> containing information about a surprise party for him, I bet)
> access to the file.
> In short, you don't need a deny ACL.
> --
> Casey Schaufler Manager, Trust Technology, SGI
> casey at voice: 650.933.1634
> casey_p at Pager: 888.220.0607
> To Unsubscribe: send mail to majordomo at
> with "unsubscribe posix1e" in the body of the message

To Unsubscribe: send mail to majordomo at
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list