From owner-freebsd-fs Mon Aug 20 6:40: 2 2001 Delivered-To: freebsd-fs@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CBF3937B418; Mon, 20 Aug 2001 06:39:56 -0700 (PDT) (envelope-from ilmar@watson.org) Received: from localhost (ilmar@localhost) by fledge.watson.org (8.11.5/8.11.5) with SMTP id f7KDd4P40772; Mon, 20 Aug 2001 09:39:04 -0400 (EDT) (envelope-from ilmar@watson.org) Date: Mon, 20 Aug 2001 09:39:03 -0400 (EDT) From: "Ilmar S. Habibulin" To: Ken Cross Cc: freebsd-fs@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: DENY ACL's In-Reply-To: <028401c1296d$6b01f8f0$0200a8c0@kjc2.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-fs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 20 Aug 2001, Ken Cross wrote: > The particular case you show would work, but others won't. I think that the example given below is the result of badly formed security policy. > For example, suppose the user is a member of GroupA which is allowed access > and also a member of GroupB which is denied access, e.g. "setfacl -m > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) > All "deny" ACL's must be checked first, so the user should be denied. Under > the current scheme, I think the "best match" would allow access. Yes, user will have access to file, but why shouldn't he have it? > Good thought, though. Thanks. You are welcome. ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-fs" in the body of the message