From owner-freebsd-security Mon Aug 20 8: 1:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id C3F9F37B405; Mon, 20 Aug 2001 08:01:23 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7KF8dE28115; Mon, 20 Aug 2001 11:08:39 -0400 Message-ID: <001b01c12988$f99cabd0$0200a8c0@kjc2.com> From: "Ken Cross" To: "Chris BeHanna" , Cc: References: Subject: Re: DENY ACL's Date: Mon, 20 Aug 2001 11:01:21 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As currently implemented, the FreeBSD ACL checks use a "best match" algorithm. It checks *all* group ACLs for one that matches the requested permissions. If found (as it would in the case below), access is allowed. That's why I need a "deny" ACL. Ken > Perhaps I misremember, but weren't there access control systems > that use "first match" syntax? That would (partly) solve this > problem: > > GroupB: > GroupA:rwx > > Here, GroupB would match first, and the user would be denied; however, > another rule can be added: > > UserA:rwx > GroupB: > GroupA:rwx > > and all is well with the world. > > -- > Chris BeHanna To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message