Problem with default ACLs and mask
sudakov at sibptus.tomsk.ru
Wed Nov 9 19:53:09 PST 2005
Heinrich Rebehn wrote:
> >>>>Very sad :-( It really seems to be impossible to implment something like
> >>>>a "Group Manager" enabling me to delegate priviliges for a group of
> >>>>users to some non-root person.
> >>>What OS allows you to do it?
> >>I have done such things with OpenVMS. Dunno how much control
> >>Windows/NTFS allows.
> > Doesn't OpenVMS also have the concept of default ACLs on directories?
> > How is the matter handled there?
> Yes, it has. But it does not have the concept of a "mask", which limits
> the resulting access rights.
> In OpenVMS, group members can also "lock out" the group manager by
> removing the ACLs. But they must do so on purpose, and the group manager
> can talk to them if that happens.
> With Posix1e however, users can inadvertently create directories with
> the group write bit removed (by extracting a tar ball), which the group
> manager is then unable to delete.
Moreover, I recently came across another issue. Consider the following
scenario. You set a default ACL on the directory "test". Your user
creates a file somewhere else and then moves it into "test". Provided
"test" and the other directory are on the same filesystem, the file
will not inherit the default ACLs from "test". It will be inside
"test", but with a different set of ACLs.
M$ Windows works exactly the same way if both the directories are on
the same volume.
How does OpenVMS handle such a scenario?
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-fs