From owner-freebsd-questions  Tue Mar 19  3:48:45 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mired.org (dsl-64-192-6-133.telocity.com [64.192.6.133])
	by hub.freebsd.org (Postfix) with SMTP id E34CD37B400
	for <freebsd-questions@FreeBSD.ORG>; Tue, 19 Mar 2002 03:48:28 -0800 (PST)
Received: (qmail 64270 invoked by uid 100); 19 Mar 2002 11:48:25 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15511.9609.134146.560977@guru.mired.org>
Date: Tue, 19 Mar 2002 05:48:25 -0600
To: Jan Grant <Jan.Grant@bristol.ac.uk>
Cc: Richard <guyuan@telpacific.com.au>,
	"freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: Re: How to disallow a certain user or group to access a directory and 
         all          other users will not be affected
In-Reply-To: <Pine.GSO.4.44.0203191126480.17702-100000@mail.ilrt.bris.ac.uk>
References: <200203191104.g2JB4VH56561@sydmail3.telpacific.com.au>
	<Pine.GSO.4.44.0203191126480.17702-100000@mail.ilrt.bris.ac.uk>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
From: Mike Meyer <mwm-dated-1016970505.415850@mired.org>
X-Delivery-Agent: TMDA/0.49 (Python 2.2 on freebsd4)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

In <Pine.GSO.4.44.0203191126480.17702-100000@mail.ilrt.bris.ac.uk>, Jan Grant <Jan.Grant@bristol.ac.uk> typed:
> On Tue, 19 Mar 2002, Richard wrote:
> > I am facing a problem that I only want to block a certain
> > user or a group to access a few directories and all other
> > users will not be affected.
> You need extended ACLs. I believe Linux has them; the TrustedBSD project
> is doing the same for FreeBSD (the code's already in current, IIRC).

Actually, any Unix can halfway do it. Put the users you want excluded
in group "excluded". Then make the directory owned by group excluded,
mode 705 (or whatever). The group permissions takes precedence over
the "other" permission, so those users are excluded.

I say "halfway" because that's not they way you're supposed to use
groups. So it's relatively straightforward for a user to "lose" a
group, at least on some Unices. I originally found this on BSD 4.x,
and I don't know if it's been changed since. CSRG didn't consider it a
problem, and I haven't tested it on any version of FreeBSD.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message