kremels at kreme.com
Mon Feb 5 18:46:58 UTC 2018
On Feb 5, 2018, at 08:16, Frank Leonhardt <freebsd-doc at fjl.co.uk> wrote:
> The problem with ACLs, as I understand them, is that the system will search through until it finds an "allow" condition and only return "deny" if it completely fails. In other words, Group1 OR Group2 = Allow. I want a condition that says Group1 AND Group2 = Allow.
That is not my experience with ACLs in general, but I have not used them on FreeBSD.
For example, on my machine I used to have a folder of movies that were world readable, but all the R and NC-17 movies isn’t eh folder were tagged with an ACL that meant the kids accounts could not read the files. They could see the file names because they could read the directory, but they could not play the movies.
Similarly, I had a folder that was not accessible to them, they could see the name of the folder, but could not see the contents and because those files inherited the ACL of the folder even if they'd guessed at the name of a file, they would not have been able to access it.
My understanding is that ACLs evaluate all the rules, and then fall through to the UNIX permission if nothing matches a rule.
This is my signature. There are many like it, but this one is mine.
More information about the freebsd-questions