Date: Mon, 5 Feb 2018 11:46:56 -0700 From: LuKreme <kremels@kreme.com> To: freebsd-questions@freebsd.org Subject: Re: ACL trouble Message-ID: <B942A38C-7E37-451A-825A-13117E1E5DA4@kreme.com> In-Reply-To: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk> References: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 5, 2018, at 08:16, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote: > The problem with ACLs, as I understand them, is that the system will searc= h through until it finds an "allow" condition and only return "deny" if it c= ompletely fails. In other words, Group1 OR Group2 =3D Allow. I want a condit= ion that says Group1 AND Group2 =3D Allow. That is not my experience with ACLs in general, but I have not used them on = FreeBSD. For example, on my machine I used to have a folder of movies that were world= readable, but all the R and NC-17 movies isn=E2=80=99t eh folder were tagge= d with an ACL that meant the kids accounts could not read the files. They co= uld see the file names because they could read the directory, but they could= not play the movies. Similarly, I had a folder that was not accessible to them, they could see th= e name of the folder, but could not see the contents and because those files= inherited the ACL of the folder even if they'd guessed at the name of a fil= e, they would not have been able to access it. My understanding is that ACLs evaluate all the rules, and then fall through t= o the UNIX permission if nothing matches a rule. --=20 This is my signature. There are many like it, but this one is mine.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?B942A38C-7E37-451A-825A-13117E1E5DA4>