Re: linux capabilities and ACLs

Albert D. Cahalan (acahalan@cs.uml.edu)
Fri, 5 Feb 1999 19:56:03 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: H. Peter Anvin: "Re: Kernel interface changes (was Re: cdrecord problems on"
Previous message: Brandon S. Allbery KF8NH: "Re: Kernel interface changes (was Re: cdrecord problems on"

Chris Ricker writes:
> On Fri, 5 Feb 1999, Albert D. Cahalan wrote:
>
>> Roughly: the read-write-execute permissions are broken down into
>> six basix permissions and some object-specific (file, dir, etc.)
>> permissions. Access may be explicitly granted or denied. As far
>> as I remember (don't make me boot NT), denial is applied last.
>> You can mark files for auditing success or failure of various
>> permission bits. Inheritance can apply to files, directories,
>> both, or neither. Inheritance can be one-time-only.
>
> If I remember correctly, I think denail is applied first, not last.

As I think about this, I realize it is a useless distinction.

int deny_last(ACL *a){
int access = ACCESS_DEFAULT;
if(access_grant(a)) access = 1;
if(access_deny(a)) access = 0;
return access;
}

int deny_first(ACL *a){
if(access_deny(a)) return 0;
if(access_grant(a)) return 1;
return ACCESS_DEFAULT;
}

The first way makes more sense to me, since it provides a nice place
to put the auditing code.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: H. Peter Anvin: "Re: Kernel interface changes (was Re: cdrecord problems on"
Previous message: Brandon S. Allbery KF8NH: "Re: Kernel interface changes (was Re: cdrecord problems on"