Date: Thu, 10 Nov 2005 09:53:05 +0600 From: Victor Sudakov <sudakov@sibptus.tomsk.ru> To: freebsd-fs@freebsd.org Subject: Re: Problem with default ACLs and mask Message-ID: <20051110035305.GA53569@admin.sibptus.tomsk.ru> In-Reply-To: <4355FD57.3060102@ant.uni-bremen.de> References: <434F9DAE.6070607@ant.uni-bremen.de> <20051014134820.GA43849@admin.sibptus.tomsk.ru> <20051014203021.L66014@fledge.watson.org> <435351F7.10101@ant.uni-bremen.de> <20051017141609.GA83692@admin.sibptus.tomsk.ru> <4354D850.8060908@ant.uni-bremen.de> <20051018112135.GA94670@admin.sibptus.tomsk.ru> <4354E644.7090608@ant.uni-bremen.de> <20051018154627.GB95892@admin.sibptus.tomsk.ru> <4355FD57.3060102@ant.uni-bremen.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Heinrich Rebehn wrote: > >>>>Very sad :-( It really seems to be impossible to implment something like > >>>>a "Group Manager" enabling me to delegate priviliges for a group of > >>>>users to some non-root person. > >>> > >>> > >>>What OS allows you to do it? > >>> > >> > >>I have done such things with OpenVMS. Dunno how much control > >>Windows/NTFS allows. > > > > > > Doesn't OpenVMS also have the concept of default ACLs on directories? > > How is the matter handled there? > > > Yes, it has. But it does not have the concept of a "mask", which limits > the resulting access rights. > > In OpenVMS, group members can also "lock out" the group manager by > removing the ACLs. But they must do so on purpose, and the group manager > can talk to them if that happens. > > With Posix1e however, users can inadvertently create directories with > the group write bit removed (by extracting a tar ball), which the group > manager is then unable to delete. Moreover, I recently came across another issue. Consider the following scenario. You set a default ACL on the directory "test". Your user creates a file somewhere else and then moves it into "test". Provided "test" and the other directory are on the same filesystem, the file will not inherit the default ACLs from "test". It will be inside "test", but with a different set of ACLs. M$ Windows works exactly the same way if both the directories are on the same volume. How does OpenVMS handle such a scenario? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20051110035305.GA53569>