Date: Tue, 19 Mar 2002 14:13:23 +0000 (GMT) From: Jan Grant <Jan.Grant@bristol.ac.uk> To: jason+freebsd@kanda.com Cc: Richard <guyuan@telpacific.com.au>, "freebsd-questions@FreeBSD.ORG" <freebsd-questions@FreeBSD.ORG> Subject: Re: How to disallow a certain user or group to access a directory and all other users will not be affected Message-ID: <Pine.GSO.4.44.0203191410500.17702-100000@mail.ilrt.bris.ac.uk> In-Reply-To: <Pine.GSO.4.44.0203191339110.17702-100000@mail.ilrt.bris.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 19 Mar 2002, Jan Grant wrote: > On Tue, 19 Mar 2002 jason+freebsd@kanda.com wrote: > > > > Not quite so, typically you use permissions to grant access, ie. user x > > can read/write these files, group y can only read these files and everyone > > else has no access. > > > > Permissions can be turned on their head a bit, eg: user x has no access, > > group y has read only access and everyone else can do anything with them. > > > > With thoughtful use of groups, you should be able to emulate some ACL > > functionality, although it will be fiddlier than with ACLs. > > Yeah; but the problem is that dropping out of a group isn't hard - > otherwise I would've mentioned it :-) Actually, now that I thikn about it, what I wrote isn't fair in the slightest. The same kinds of loopholes that can be used to drop out of groups (generally, going through something that doesn't initgroups properly - eg, a non-suexecing apache) could very well be used to avoid group-based ACLs too. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk Talk is cheap: free, as in beer. As in Real Ale, not that Budweiser rubbish. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.44.0203191410500.17702-100000>