Date: Mon, 20 Aug 2001 10:12:49 -0400 From: "Ken Cross" <kcross@ntown.com> To: "Ilmar S. Habibulin" <ilmar@watson.org> Cc: <freebsd-fs@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: DENY ACL's Message-ID: <000f01c12982$321d68c0$0200a8c0@kjc2.com> References: <Pine.BSF.3.96.1010820093328.39779C-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > The particular case you show would work, but others won't. > > I think that the example given below is the result of badly formed > security policy. Not really. There are real cases in large organizations where that configuration is perfectly legitimate. OTOH, it is often the result of "quick-fix" solutions. But that's the real world... > > > For example, suppose the user is a member of GroupA which is allowed access > > and also a member of GroupB which is denied access, e.g. "setfacl -m > > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) > > All "deny" ACL's must be checked first, so the user should be denied. Under > > the current scheme, I think the "best match" would allow access. > > Yes, user will have access to file, but why shouldn't he have it? For whatever reason, the administrators decided to explicitly deny access to GroupB. By definition, that *must* be honored first. I don't make the rules, but I gotta live by them. ;-) Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000f01c12982$321d68c0$0200a8c0>