From owner-freebsd-fs Mon Aug 20 4:44:12 2001 Delivered-To: freebsd-fs@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id 21B1537B408; Mon, 20 Aug 2001 04:44:08 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7KBpME02156; Mon, 20 Aug 2001 07:51:22 -0400 Message-ID: <028401c1296d$6b01f8f0$0200a8c0@kjc2.com> From: "Ken Cross" To: "Ilmar S. Habibulin" Cc: , References: Subject: Re: DENY ACL's Date: Mon, 20 Aug 2001 07:44:06 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-fs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The particular case you show would work, but others won't. For example, suppose the user is a member of GroupA which is allowed access and also a member of GroupB which is denied access, e.g. "setfacl -m g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) All "deny" ACL's must be checked first, so the user should be denied. Under the current scheme, I think the "best match" would allow access. Good thought, though. Thanks. Ken > > > > For those not familiar with it, deny ACL's are ACL's that explicitly deny > > access, e.g., group Accountants are allowed access, but user George is > > denied access even though he is a member of Accountants. > > Would something like "setfacl -m g:group1:rw,u:user1: file", where user1 > is the member of group group1 satisfy you? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-fs" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-fs" in the body of the message