What are negative permissions?

Robert Bonomi bonomi at mail.r-bonomi.com
Mon Sep 17 03:11:05 UTC 2012

> Michael Sierchio <kudzu at tenebras.com> wrote:
> On Sun, Sep 16, 2012 at 12:50 PM, Matthias Apitz <guru at unixarea.de> wrote:
> > El dia Sunday, September 16, 2012 a las 08:37:48PM +0100, Matthew Seaman
> > escribio:
> >
> > > It's where the group ownership of a file gives it fewer permissions than
> > > are allowed for the world in general.
> > >
> > > Suppose you have a file with these permissions and ownership:
> > >
> > > foo bar -rwx---r-x
> > >
> > > ...
> >
> > So far so good (and correct) the theory. But, could you imagine a real
> > world example where this makes any sense?
> Group permissions are rather blunt, and if you want fine-grained access
> controls, you'll need to enable ACLs.  However...
> Imagine, if you will, a group entitled "guest," with the semantics you
> might normally associate with that name - then using negative group
> permissions on a directory effectively prevents traversal beyond that point
> for members of that group.

It's also 'convenient' for an anonymous ftp 'upload' directory -- set the 
upload directory  permissions to '-w--w-rw-' and any 'username' in the 
'anonymous' group can only upload files to that directory -- can't get
a directory listing, read any files, or change directory.  BUT, any
'non-anonymous' user _can_ do those things.

There are many kinds of "special case" scenarios where it is desirable
to make something 'generally available' to ths users, but -deny- access
to a specific group of users.  "Negative permissions" is a simple, and
simplistic, approach to the issue -- but it is a 'traditional' one, from
the days before extended access-control lists.

More information about the freebsd-questions mailing list