Date: Mon, 20 Aug 2001 07:44:06 -0400 From: "Ken Cross" <kcross@ntown.com> To: "Ilmar S. Habibulin" <ilmar@watson.org> Cc: <freebsd-fs@FreeBSD.ORG>, <freebsd-securit@FreeBSD.ORG> Subject: Re: DENY ACL's Message-ID: <028401c1296d$6b01f8f0$0200a8c0@kjc2.com> References: <Pine.BSF.3.96.1010820071822.39419A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
The particular case you show would work, but others won't. For example, suppose the user is a member of GroupA which is allowed access and also a member of GroupB which is denied access, e.g. "setfacl -m g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.) All "deny" ACL's must be checked first, so the user should be denied. Under the current scheme, I think the "best match" would allow access. Good thought, though. Thanks. Ken > > > > For those not familiar with it, deny ACL's are ACL's that explicitly deny > > access, e.g., group Accountants are allowed access, but user George is > > denied access even though he is a member of Accountants. > > Would something like "setfacl -m g:group1:rw,u:user1: file", where user1 > is the member of group group1 satisfy you? > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-fs" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-fs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?028401c1296d$6b01f8f0$0200a8c0>