Re: linux capabilities and ACLs

Richard Gooch (rgooch@atnf.csiro.au)
Sat, 6 Feb 1999 12:08:45 +1100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Nicholas J. Leon: "Re: Bloat thread..."
Previous message: Simon Kirby: "Re: Linux SMP problems: wait_on_bh"
In reply to: Simon Kirby: "Re: Linux SMP problems: wait_on_bh"

Albert D. Cahalan writes:
> Chris Ricker writes:
> > On Fri, 5 Feb 1999, Albert D. Cahalan wrote:
> >
> >> Roughly: the read-write-execute permissions are broken down into
> >> six basix permissions and some object-specific (file, dir, etc.)
> >> permissions. Access may be explicitly granted or denied. As far
> >> as I remember (don't make me boot NT), denial is applied last.
> >> You can mark files for auditing success or failure of various
> >> permission bits. Inheritance can apply to files, directories,
> >> both, or neither. Inheritance can be one-time-only.
> >
> > If I remember correctly, I think denail is applied first, not last.
>
> As I think about this, I realize it is a useless distinction.
>
> int deny_last(ACL *a){
> int access = ACCESS_DEFAULT;
> if(access_grant(a)) access = 1;
> if(access_deny(a)) access = 0;
> return access;
> }
>
> int deny_first(ACL *a){
> if(access_deny(a)) return 0;
> if(access_grant(a)) return 1;
> return ACCESS_DEFAULT;
> }

Erm, unless the model for deny last is:
int deny_last(ACL *a){
if(access_grant(a)) return 1;
if(access_deny(a)) return 0;
return ACCESS_DEFAULT;
}

I don't see any particular reason why one approach (to deny last) is
better than the other.

Regards,

Richard....

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nicholas J. Leon: "Re: Bloat thread..."
Previous message: Simon Kirby: "Re: Linux SMP problems: wait_on_bh"
In reply to: Simon Kirby: "Re: Linux SMP problems: wait_on_bh"