POSIX ACLs -- under-specified areas in Draft Standard 17?

Andreas Gruenbacher a.gruenbacher at infosys.tuwien.ac.at
Sat Oct 2 22:37:09 GMT 1999 

Hello List,

I'm implementing POSIX-like ACLs for the Linux OS (among others).
My most up-to-date reference is Draft Standard 17; I hope this is not
completely out-of-date.

Draft 17 does not talk about the semantics of the default ACL being
applied when a new file is created. Just copying the default ACL into
the ACL unmodified is dumb. When users creates a file or directory,
they specify a mask of maximum rights the new item should have. So
step one seems to be to remove all the permissions from all the ACL
entries of the new item that are not set in the create mask (Using
the owning group bits for all named entries).

This still leaves us with a stupid restriction:
It is not possible to grant one specific user other rights than
another user when creating a file/directory inside a directory
that has a default ACL. With one rather small change, this can be
improved. (I'm asking you to tell me whether what I'm describing
here makes any sense at all.)

  When creating a file inside a directory that has a default ACL,
  a user gets as a minimum all permissions defined by the USER_OBJ
  entry. In addition to that, the `usual' algorithm  is used to
  determine the permissions the user would get, were he/she not
  the file's owner. These permissions are added to the
  permissions the user is granted. (One option here is not to
  consider the OTHER_OBJ entry in this case. Seems to make sense
  to me.)

The next thing is to determine what the MASK_OBJ entry of the new
ACL should be. I could imagine to always set it to the union of
all permissions set in all the entries affected by the mask. Leaving
the MASK_OBJK entry as is is another possibility.

This approach has the following advantages:

- Different users may be granted different permissions on files they
  create (e.g., create and then only read, create and then read/write)

- The creator may be granted more permissions than if he/she were
  not the creator (e.g., everybody read, creator read/write)

- The creator may even be granted fewer permissions than if he/she were
  not the creator, if the MASK_OBJ entry is modified as outlined above.
  While this seems rather obscure, there may also be valid applications
  for this. (Imagine one user distributing fill-out documentsin which
  other users are supposed to fill in sensitive information. You don't
  want the distributer to read the documents after the users have
  modified them.)
  
Are these things the Standard Committee considered?

Andreas

------------------------------------------------------------------------
 Andreas Gruenbacher, Vienna University of Technology
 a.gruenbacher at infosys.tuwien.ac.at
 Contact information: http://www.infosys.tuwien.ac.at/~agruenba
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message

More information about the posix1e mailing list