DENY ACLs
Casey Schaufler
casey at sgi.com
Mon Aug 20 18:37:15 GMT 2001
Ken Cross wrote:
>
> The process must apply to groups, too.
>
> For example, suppose the user is a member of GroupA which is allowed access
> and also a member of GroupB which is denied access, e.g. "setfacl -m
> g:GroupA:rwx,g:GroupB:- file". (There's no user-specific ACL.)
>
> All "deny" ACL's must be checked first, so the user should be denied. Under
> the current scheme, I think the "best match" would allow access.
You're correct. All groups are treated equally, and this case
would result in those belonging to both groups getting access.
The POSIX group's response would be that you should not have
given GroupA access, as that group does not accurately describe
the set of people you want to have access. Instead you should
either have a GroupC, made of GroupA-but-not-GroupB, or
list the individuals.
You can provide the access you want, although it may take
some work to specify it correctly.
--
Casey Schaufler Manager, Trust Technology, SGI
casey at sgi.com voice: 650.933.1634
casey_p at pager.sgi.com Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list