Date: Mon, 05 Feb 2018 15:16:22 +0000 From: Frank Leonhardt <freebsd-doc@fjl.co.uk> To: Freebsd Questions <freebsd-questions@freebsd.org> Subject: ACL trouble Message-ID: <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk>
next in thread | raw e-mail | index | archive | help
I know there is more than one flavour of ACL but in general... Imagine you have two groups - one "accounts" and another "dodgy". If it helps you could even have a third - "notdodgy" - which contains all the users not in "dodgy". You have a resource, called "master-file". This must be accessible to everyone in accounts EXCEPT for those also in the dodgy group. That'a right - you have some dodgy accountants. How do you do this? The problem with ACLs, as I understand them, is that the system will search through until it finds an "allow" condition and only return "deny" if it completely fails. In other words, Group1 OR Group2 = Allow. I want a condition that says Group1 AND Group2 = Allow. If this beyond what ACLs can do I have a clunky Plan B: a cron job that will maintain a third group called "notdodgyaccounts" and use that as a group owner "master-file", avoiding ACLs completely. But I thought ACLs were supposed to be the answer to everything. Am I missing something? Thanks, Frank.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?634f440c0ab99f5c49bf592a6e796789>