Re: linux capabilities and ACLs

Mark H. Wood (mwood@IUPUI.Edu)
Sun, 7 Feb 1999 07:11:02 -0500 (EST)

On Sat, 6 Feb 1999, Chip Salzenberg wrote:
> According to Rik van Riel:
> > On Thu, 4 Feb 1999, Tim Smith wrote:
> > > ... the TOPS-10 behaviour of only checking the access file on
> > > accesses that would otherwise fail ...
> >
> > This _is_ a problem. I can imagine the situation where you want a
> > file to be world-readable EXCEPT for that one special network user
> > (say, nobody).
>
> That's hardly good practice. IMO, 99.44% of the time, it's better to
> specify who to _include_ rather than who to _exclude_, if only because
> new accounts get created all the time.

I have to agree with that. However, for those who don't, it's really easy
to do. chmod the file 700 -- now all access other than by owner goes
through the ACL. Deny-all to nobody, then grant read to *, and you're
done. (You could make the mode 000 and force even the owner through the
ACL, if you dare. VMS access checks have the additional property that the
object's owner has implicit change-mode access, so there's no way to
utterly lose control of an object.)

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Innovation is only valuable if it improves one's life; otherwise it's
just one more silly change to cope with.




-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/