From owner-freebsd-questions@FreeBSD.ORG Mon Sep 17 03:11:05 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C646106564A for ; Mon, 17 Sep 2012 03:11:05 +0000 (UTC) (envelope-from bonomi@mail.r-bonomi.com) Received: from mail.r-bonomi.com (mx-out.r-bonomi.com [204.87.227.120]) by mx1.freebsd.org (Postfix) with ESMTP id C952A8FC15 for ; Mon, 17 Sep 2012 03:11:04 +0000 (UTC) Received: (from bonomi@localhost) by mail.r-bonomi.com (8.14.4/rdb1) id q8H3BQeI030804 for freebsd-questions@freebsd.org; Sun, 16 Sep 2012 22:11:26 -0500 (CDT) Date: Sun, 16 Sep 2012 22:11:26 -0500 (CDT) From: Robert Bonomi Message-Id: <201209170311.q8H3BQeI030804@mail.r-bonomi.com> To: freebsd-questions@freebsd.org In-Reply-To: Subject: Re: What are negative permissions? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Sep 2012 03:11:05 -0000 > Michael Sierchio wrote: > On Sun, Sep 16, 2012 at 12:50 PM, Matthias Apitz wrote: > > El dia Sunday, September 16, 2012 a las 08:37:48PM +0100, Matthew Seaman > > escribio: > > > > > It's where the group ownership of a file gives it fewer permissions than > > > are allowed for the world in general. > > > > > > Suppose you have a file with these permissions and ownership: > > > > > > foo bar -rwx---r-x > > > > > > ... > > > > So far so good (and correct) the theory. But, could you imagine a real > > world example where this makes any sense? > > Group permissions are rather blunt, and if you want fine-grained access > controls, you'll need to enable ACLs. However... > > Imagine, if you will, a group entitled "guest," with the semantics you > might normally associate with that name - then using negative group > permissions on a directory effectively prevents traversal beyond that point > for members of that group. It's also 'convenient' for an anonymous ftp 'upload' directory -- set the upload directory permissions to '-w--w-rw-' and any 'username' in the 'anonymous' group can only upload files to that directory -- can't get a directory listing, read any files, or change directory. BUT, any 'non-anonymous' user _can_ do those things. There are many kinds of "special case" scenarios where it is desirable to make something 'generally available' to ths users, but -deny- access to a specific group of users. "Negative permissions" is a simple, and simplistic, approach to the issue -- but it is a 'traditional' one, from the days before extended access-control lists.