freebsd-doc at fjl.co.uk
Mon Feb 5 15:16:34 UTC 2018
I know there is more than one flavour of ACL but in general...
Imagine you have two groups - one "accounts" and another "dodgy". If it
helps you could even have a third - "notdodgy" - which contains all the
users not in "dodgy".
You have a resource, called "master-file". This must be accessible to
everyone in accounts EXCEPT for those also in the dodgy group. That'a
right - you have some dodgy accountants.
How do you do this?
The problem with ACLs, as I understand them, is that the system will
search through until it finds an "allow" condition and only return
"deny" if it completely fails. In other words, Group1 OR Group2 = Allow.
I want a condition that says Group1 AND Group2 = Allow.
If this beyond what ACLs can do I have a clunky Plan B: a cron job that
will maintain a third group called "notdodgyaccounts" and use that as a
group owner "master-file", avoiding ACLs completely. But I thought ACLs
were supposed to be the answer to everything.
Am I missing something?
More information about the freebsd-questions