kcross at ntown.com
Mon Aug 20 18:11:34 GMT 2001
The process must apply to groups, too.
For example, suppose the user is a member of GroupA which is allowed access
and also a member of GroupB which is denied access, e.g. "setfacl -m
g:GroupA:rwx,g:GroupB:- file". (There's no user-specific ACL.)
All "deny" ACL's must be checked first, so the user should be denied. Under
the current scheme, I think the "best match" would allow access.
Good thought, though. Thanks.
> Ken Cross wrote:
> > (This is a reproduction of the mail sent to the FreeBSD lists.)
> > Hi:
> > The current Posix.1e ACL implementation in -current works great as far
> > goes. I'm sure this has been kicked around before (although I couldn't
> > anything in the archives), but it seems like adding "deny" ACL's would
> > useful and fairly straightforward extension.
> > For those not familiar with it, deny ACL's are ACL's that explicitly
> > access, e.g., group Accountants are allowed access, but user George is
> > denied access even though he is a member of Accountants.
> > They are used extensively in the Windows NT/2K world and I need to
> > them on a BSD platform. The implementation is pretty straightforward --
> > always check deny ACL's first and then access ACL's. They'd just be a
> > acl_type_t value (ACL_TYPE_DENY?).
> > I'd be happy to help with the implementation (especially since I'll be
> > it regardless). Any interest or things I should know about?
> User ACL entires are always checked prior to group access entries.
> Thus, u::rw,g::rw,m::rw,u:george:-,g:accountants:rw,o::r
> will give everyone in the group but George (it's a file
> containing information about a surprise party for him, I bet)
> access to the file.
> In short, you don't need a deny ACL.
> Casey Schaufler Manager, Trust Technology, SGI
> casey at sgi.com voice: 650.933.1634
> casey_p at pager.sgi.com Pager: 888.220.0607
> To Unsubscribe: send mail to majordomo at cyrus.watson.org
> with "unsubscribe posix1e" in the body of the message
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e