From owner-freebsd-security Sun Aug 19 16:53: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ntown.esper.com (ntown.esper.com [216.111.16.26]) by hub.freebsd.org (Postfix) with ESMTP id 2CFEF37B418 for ; Sun, 19 Aug 2001 16:53:02 -0700 (PDT) (envelope-from kcross@ntown.com) Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212]) by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7K00BE08044 for ; Sun, 19 Aug 2001 20:00:11 -0400 Message-ID: <017001c1290a$14962300$0200a8c0@kjc2.com> From: "Ken Cross" To: Subject: DENY ACL's Date: Sun, 19 Aug 2001 19:53:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi: The current Posix.1e ACL implementation in -current works great as far as it goes. I'm sure this has been kicked around before (although I couldn't find anything in the archives), but it seems like adding "deny" ACL's would be a useful and fairly straightforward extension. For those not familiar with it, deny ACL's are ACL's that explicitly deny access, e.g., group Accountants are allowed access, but user George is denied access even though he is a member of Accountants. They are used extensively in the Windows NT/2K world and I need to support them on a BSD platform. The implementation is pretty straightforward -- always check deny ACL's first and then access ACL's. They'd just be a new acl_type_t value (ACL_TYPE_DENY?). I'd be happy to help with the implementation (especially since I'll be doing it regardless). Any interest or things I should know about? Ken To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message