Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Aug 2001 09:39:03 -0400 (EDT)
From:      "Ilmar S. Habibulin" <ilmar@watson.org>
To:        Ken Cross <kcross@ntown.com>
Cc:        freebsd-fs@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: DENY ACL's
Message-ID:  <Pine.BSF.3.96.1010820093328.39779C-100000@fledge.watson.org>
In-Reply-To: <028401c1296d$6b01f8f0$0200a8c0@kjc2.com>

next in thread | previous in thread | raw e-mail | index | archive | help


On Mon, 20 Aug 2001, Ken Cross wrote:

> The particular case you show would work, but others won't.
I think that the example given below is the result of badly formed
security policy.
 
> For example, suppose the user is a member of GroupA which is allowed access
> and also a member of GroupB which is denied access, e.g. "setfacl -m
> g:GroupA:rwx,g:GroupB: file".  (There's no user-specific ACL.)
> All "deny" ACL's must be checked first, so the user should be denied.  Under
> the current scheme, I think the "best match" would allow access.
Yes, user will have access to file, but why shouldn't he have it?

> Good thought, though.  Thanks.
You are welcome. ;-)



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1010820093328.39779C-100000>