From owner-freebsd-fs@FreeBSD.ORG Thu Nov 10 03:53:09 2005 Return-Path: X-Original-To: freebsd-fs@freebsd.org Delivered-To: freebsd-fs@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 77E8B16A42A for ; Thu, 10 Nov 2005 03:53:09 +0000 (GMT) (envelope-from sudakov@sibptus.tomsk.ru) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4224A43D46 for ; Thu, 10 Nov 2005 03:53:07 +0000 (GMT) (envelope-from sudakov@sibptus.tomsk.ru) X-Virus-Scanned: by Dr.Web (R) daemon for FreeBSD, version 4.32.1 (2004-08-30) at relay2.tomsk.ru Received: from [172.16.138.125] (account sudakovva@sibptus.tomsk.ru HELO admin.sibptus.tomsk.ru) by relay2.tomsk.ru (CommuniGate Pro SMTP 4.3.8) with ESMTPSA id 1575269 for freebsd-fs@freebsd.org; Thu, 10 Nov 2005 09:53:06 +0600 Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.12.9p2/8.12.9/Submit) id jAA3r5lq053669 for freebsd-fs@freebsd.org; Thu, 10 Nov 2005 09:53:05 +0600 (OMST) (envelope-from sudakov@sibptus.tomsk.ru) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to sudakov@sibptus.tomsk.ru using -f Date: Thu, 10 Nov 2005 09:53:05 +0600 From: Victor Sudakov To: freebsd-fs@freebsd.org Message-ID: <20051110035305.GA53569@admin.sibptus.tomsk.ru> References: <434F9DAE.6070607@ant.uni-bremen.de> <20051014134820.GA43849@admin.sibptus.tomsk.ru> <20051014203021.L66014@fledge.watson.org> <435351F7.10101@ant.uni-bremen.de> <20051017141609.GA83692@admin.sibptus.tomsk.ru> <4354D850.8060908@ant.uni-bremen.de> <20051018112135.GA94670@admin.sibptus.tomsk.ru> <4354E644.7090608@ant.uni-bremen.de> <20051018154627.GB95892@admin.sibptus.tomsk.ru> <4355FD57.3060102@ant.uni-bremen.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4355FD57.3060102@ant.uni-bremen.de> User-Agent: Mutt/1.4.2.1i Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://vas.tomsk.ru/vas.asc Subject: Re: Problem with default ACLs and mask X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Nov 2005 03:53:09 -0000 Heinrich Rebehn wrote: > >>>>Very sad :-( It really seems to be impossible to implment something like > >>>>a "Group Manager" enabling me to delegate priviliges for a group of > >>>>users to some non-root person. > >>> > >>> > >>>What OS allows you to do it? > >>> > >> > >>I have done such things with OpenVMS. Dunno how much control > >>Windows/NTFS allows. > > > > > > Doesn't OpenVMS also have the concept of default ACLs on directories? > > How is the matter handled there? > > > Yes, it has. But it does not have the concept of a "mask", which limits > the resulting access rights. > > In OpenVMS, group members can also "lock out" the group manager by > removing the ACLs. But they must do so on purpose, and the group manager > can talk to them if that happens. > > With Posix1e however, users can inadvertently create directories with > the group write bit removed (by extracting a tar ball), which the group > manager is then unable to delete. Moreover, I recently came across another issue. Consider the following scenario. You set a default ACL on the directory "test". Your user creates a file somewhere else and then moves it into "test". Provided "test" and the other directory are on the same filesystem, the file will not inherit the default ACLs from "test". It will be inside "test", but with a different set of ACLs. M$ Windows works exactly the same way if both the directories are on the same volume. How does OpenVMS handle such a scenario? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru