From owner-freebsd-questions  Tue Mar 19  5:40:57 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by hub.freebsd.org (Postfix) with ESMTP id 8795337B419
	for <freebsd-questions@freebsd.org>; Tue, 19 Mar 2002 05:40:25 -0800 (PST)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Tue, 19 Mar 2002 13:40:15 +0000
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 16nJqU-0007nV-00;
          Tue, 19 Mar 2002 13:40:10 +0000
Date: Tue, 19 Mar 2002 13:40:09 +0000 (GMT)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: jason+freebsd@kanda.com
Cc: Richard <guyuan@telpacific.com.au>,
	"freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG>
Subject: Re: How to disallow a certain user or group to access a directory and 
         all          other users will not be affected
In-Reply-To: <20020319124758.W69540-100000@uk2.kanda-systems.net>
Message-ID: <Pine.GSO.4.44.0203191339110.17702-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Tue, 19 Mar 2002 jason+freebsd@kanda.com wrote:

>
> On Tue, 19 Mar 2002, Jan Grant wrote:
>
> > On Tue, 19 Mar 2002, Richard wrote:
> >
> > > I am facing a problem that I only want to block a certain
> > > user or a group to access a few directories and all other
> > > users will not be affected.
> > >
> > > It does not seem to be a problem in win2000, but I cannot
> > > implement in FreeBSD or Linux. Is it possible to implement
> > > in FreeBSD or Linux?
> >
> > You need extended ACLs. I believe Linux has them; the TrustedBSD project
> > is doing the same for FreeBSD (the code's already in current, IIRC).
>
> Not quite so, typically you use permissions to grant access, ie. user x
> can read/write these files, group y can only read these files and everyone
> else has no access.
>
> Permissions can be turned on their head a bit, eg: user x has no access,
> group y has read only access and everyone else can do anything with them.
>
> With thoughtful use of groups, you should be able to emulate some ACL
> functionality, although it will be fiddlier than with ACLs.

Yeah; but the problem is that dropping out of a group isn't hard -
otherwise I would've mentioned it :-)

-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk
(Things I've found in my attic, #2: A hundredweight of pornography.)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message