ACLs: Group permission test
James Buster
bitbug at seal.engr.sgi.com
Thu Oct 7 00:41:01 GMT 1999
On Oct 7, 1:11am, Andreas Gruenbacher wrote:
} I still find this a very strange definition. Accumulation is what
} everybody and their dog would expect, yet POSIX is different.
} Standards are strange...
That's what the Rationale is for. Section B.23.10, Multiple Group
Evaluation explains why the did what they did:
1) First group id match. In this approach, the first entry that matches
one of the process's groups is used to determine access. Access is
granted if the matched entry grants the requested permissions.
This approach provides a simple solution to the problem, but it does so
by putting a burden on the user to order the ACL_GROUP entries correctly
to get the desired result. Also, while this is efficient, it dictates
implementation details because the ACL entries must be maintained by
the system in the order they were entered by the user.
2) Intersection of matching entries. In this approach, the permissions of
all the entries which match groups of the process are intersected
(ANDed) together. Access is granted if the result of the intersection
grants the requested permissions.
This approach provides a slightly complex solution (from a user point
of view) to the problem, but is considered very restrictive. It is
difficult to justify that a process that is granted read access through
one group and write access through another should actually get no access.
3) Union of matching entries. In this approach, the union is taken of the
permissions of all the entries which match groups of the process.
Access is granted is the result of the union grants the requested
permissions.
This approach provides a slightly complex solution (from a user point
of view) to the problem, but is considered rather permissive. It is
not possible to ensure denial of access to all members of a group via
a restrictive group entry because members of that group may be allowed
access via membership in other groups. It is also possible for a process
to be granted more access than is granted by a single entry e.g. one entry
grants read access, another grants write access and the process is granted
read *and* write access.
4) Permission match. In this approach, the permissions of all the entries
which match groups of the process are compared with the requested access.
Access is granted if a matched entry grants at least the requested
permissions.
This approach provides a simple solution to the problem that is very
similar to the POSIX.1 semantics. In POSIX.1, if a process is in the file
group class and the file group class permissions grant at least the
requested access, then the process is granted access. In this approach,
if a process is in the file group class and the permissions of one of
the ACL entries in the file group class grant at least the requested
access, then the process is granted access.
One of the goals of the ACL mechanism is to be compatible with POSIX.1.
Of the different approaches considered, the "Permission match" approach
provides the semantics that most closely match POSIX.1 and is the chosen
approach.
--
Planet Bog -- pools of toxic chemicals bubble under a choking
atomsphere of poisonous gases... but aside from that, it's not
much like Earth.
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list