From owner-freebsd-questions@freebsd.org Mon Feb 5 15:16:34 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F0601ECC5F7 for ; Mon, 5 Feb 2018 15:16:33 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "bs1.fjl.org.uk", Issuer "bs1.fjl.org.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7FDF1779B4 for ; Mon, 5 Feb 2018 15:16:33 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from roundcube.fjl.org.uk (localhost [127.0.0.1]) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id w15FGNe9059018 for ; Mon, 5 Feb 2018 15:16:24 GMT (envelope-from freebsd-doc@fjl.co.uk) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 05 Feb 2018 15:16:22 +0000 From: Frank Leonhardt To: Freebsd Questions Subject: ACL trouble Message-ID: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk> X-Sender: freebsd-doc@fjl.co.uk User-Agent: Roundcube Webmail/0.9.2 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Feb 2018 15:16:34 -0000 I know there is more than one flavour of ACL but in general... Imagine you have two groups - one "accounts" and another "dodgy". If it helps you could even have a third - "notdodgy" - which contains all the users not in "dodgy". You have a resource, called "master-file". This must be accessible to everyone in accounts EXCEPT for those also in the dodgy group. That'a right - you have some dodgy accountants. How do you do this? The problem with ACLs, as I understand them, is that the system will search through until it finds an "allow" condition and only return "deny" if it completely fails. In other words, Group1 OR Group2 = Allow. I want a condition that says Group1 AND Group2 = Allow. If this beyond what ACLs can do I have a clunky Plan B: a cron job that will maintain a third group called "notdodgyaccounts" and use that as a group owner "master-file", avoiding ACLs completely. But I thought ACLs were supposed to be the answer to everything. Am I missing something? Thanks, Frank.