Date: Mon, 20 Aug 2001 11:01:21 -0400 From: "Ken Cross" <kcross@ntown.com> To: "Chris BeHanna" <behanna@zbzoom.net>, <freebsd-fs@FreeBSD.ORG> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: DENY ACL's Message-ID: <001b01c12988$f99cabd0$0200a8c0@kjc2.com> References: <Pine.BSF.4.32.0108201035050.9651-100000@topperwein.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
As currently implemented, the FreeBSD ACL checks use a "best match" algorithm. It checks *all* group ACLs for one that matches the requested permissions. If found (as it would in the case below), access is allowed. That's why I need a "deny" ACL. Ken > Perhaps I misremember, but weren't there access control systems > that use "first match" syntax? That would (partly) solve this > problem: > > GroupB: > GroupA:rwx > > Here, GroupB would match first, and the user would be denied; however, > another rule can be added: > > UserA:rwx > GroupB: > GroupA:rwx > > and all is well with the world. > > -- > Chris BeHanna To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001b01c12988$f99cabd0$0200a8c0>