Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Aug 2001 07:44:06 -0400
From:      "Ken Cross" <kcross@ntown.com>
To:        "Ilmar S. Habibulin" <ilmar@watson.org>
Cc:        <freebsd-fs@FreeBSD.ORG>, <freebsd-securit@FreeBSD.ORG>
Subject:   Re: DENY ACL's
Message-ID:  <028401c1296d$6b01f8f0$0200a8c0@kjc2.com>
References:  <Pine.BSF.3.96.1010820071822.39419A-100000@fledge.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
The particular case you show would work, but others won't.

For example, suppose the user is a member of GroupA which is allowed access
and also a member of GroupB which is denied access, e.g. "setfacl -m
g:GroupA:rwx,g:GroupB: file".  (There's no user-specific ACL.)

All "deny" ACL's must be checked first, so the user should be denied.  Under
the current scheme, I think the "best match" would allow access.

Good thought, though.  Thanks.

Ken


>
>
> > For those not familiar with it, deny ACL's are ACL's that explicitly
deny
> > access, e.g., group Accountants are allowed access, but user George is
> > denied access even though he is a member of Accountants.
>
> Would something like "setfacl -m g:group1:rw,u:user1: file", where user1
> is the member of group group1 satisfy you?
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-fs" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-fs" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?028401c1296d$6b01f8f0$0200a8c0>