DENY ACLs

[Ken Cross]

(This is a reproduction of the mail sent to the FreeBSD lists.)

Hi:

The current Posix.1e ACL implementation in -current works great as far as it
goes.  I'm sure this has been kicked around before (although I couldn't find
anything in the archives), but it seems like adding "deny" ACL's would be a
useful and fairly straightforward extension.

For those not familiar with it, deny ACL's are ACL's that explicitly deny
access, e.g., group Accountants are allowed access, but user George is
denied access even though he is a member of Accountants.

They are used extensively in the Windows NT/2K world and I need to support
them on a BSD platform.  The implementation is pretty straightforward --
always check deny ACL's first and then access ACL's.  They'd just be a new
acl_type_t value (ACL_TYPE_DENY?).

I'd be happy to help with the implementation (especially since I'll be doing
it regardless).  Any interest or things I should know about?

Ken



To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message