Re: linux capabilities and ACLs
Mirian Crzig Lennox (mirian@xensei.com)
05 Feb 1999 13:37:55 -0500
john halewood <john@firewall.unidec.co.uk> writes:
>
> not quite. denial is always applied first. in fact, the thing
> that's been missing from this discussion is any mention
> of VMS, which has probably the most complete ACL implementation
> I've seen. it was borrowed (sometimes almost byte for byte) by
> n*t, although they left out some of the more obscure bits.
> I never could get the hang of being able to execute programs
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> even though i couldn't read the contents of the directory
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> that they resided in, or even read them themselves.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Get ready for a shock, then:
(On a machine running Redhat Linux 5.2):
$ mkdir foo
$ cp /bin/date foo
$ chmod 100 foo/date
$ chmod 100 foo
$ ls foo
ls: foo: Permission denied
$ cat foo/date
cat: foo/date: Permission denied
$ ./foo/date
Fri Feb 5 13:28:53 EST 1999
You don't need ACLs to pull this little trick; ordinary POSIX
permissions will do.
--
Mirian Crzig Lennox Systems Anarchist
"There's a New World Order coming every minute.
Make mine extra cheese."
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/