From owner-freebsd-questions@freebsd.org  Mon Feb  5 18:46:58 2018
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id B2226EE5E7D
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon,  5 Feb 2018 18:46:58 +0000 (UTC)
 (envelope-from kremels@kreme.com)
Received: from mail.covisp.net (www.covisp.net [65.121.55.45])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 6388782CBE
 for <freebsd-questions@freebsd.org>; Mon,  5 Feb 2018 18:46:58 +0000 (UTC)
 (envelope-from kremels@kreme.com)
From: LuKreme <kremels@kreme.com>
Content-Type: text/plain;
	charset=utf-8
Content-Transfer-Encoding: quoted-printable
Date: Mon, 5 Feb 2018 11:46:56 -0700
Subject: Re: ACL trouble
Message-Id: <B942A38C-7E37-451A-825A-13117E1E5DA4@kreme.com>
References: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk>
In-Reply-To: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk>
To: freebsd-questions@freebsd.org
X-Mailer: iPad Mail (15E5167f)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Feb 2018 18:46:58 -0000

On Feb 5, 2018, at 08:16, Frank Leonhardt <freebsd-doc@fjl.co.uk> wrote:
> The problem with ACLs, as I understand them, is that the system will searc=
h through until it finds an "allow" condition and only return "deny" if it c=
ompletely fails. In other words, Group1 OR Group2 =3D Allow. I want a condit=
ion that says Group1 AND Group2 =3D Allow.

That is not my experience with ACLs in general, but I have not used them on =
FreeBSD.

For example, on my machine I used to have a folder of movies that were world=
 readable, but all the R and NC-17 movies isn=E2=80=99t eh folder were tagge=
d with an ACL that meant the kids accounts could not read the files. They co=
uld see the file names because they could read the directory, but they could=
 not play the movies.

Similarly, I had a folder that was not accessible to them, they could see th=
e name of the folder, but could not see the contents and because those files=
 inherited the ACL of the folder even if they'd guessed at the name of a fil=
e, they would not have been able to access it.

My understanding is that ACLs evaluate all the rules, and then fall through t=
o the UNIX permission if nothing matches a rule.

--=20
This is my signature. There are many like it, but this one is mine.=