Re: "Small" Bug - silly question again

To: =?x-unknown?q?Niels_M=F6ller?= <nisse@lysator.liu.se>
Cc: Norbert Nemec <nobbi@cheerful.com>, Debian Hurd List <debian-hurd@lists.debian.org>
Subject: Re: "Small" Bug - silly question again
From: Gregory Ade <gkade@bigbrother.net>
Date: Fri, 17 Mar 2000 11:29:39 -0800 (PST)
Message-id: <[🔎] Pine.LNX.4.10.10003171040150.20194-100000@kanga.azure-n-jade.vpn.tadma.net>
In-reply-to: <[🔎] nnog8dll90.fsf@sture.lysator.liu.se>

On 17 Mar 2000, Niels Möller wrote:

> As a concrete example, say you want to limit write access to the file
> /games/nethack/lib/nethackdir/record to members of the group games.
> And that you, at the same time, want to grant read access to everybody
> but guests. How would you do that?

ACLs!!! =)

yes, I have run into that particular situation myself many times, and
wished for a way to do things like that.

What happens, though, when you want, say, group devel to have full access
to a file (project, directory, whatever), group qa to have only read
(execute) access, and nobody else?  Well, the everybody else is easy to
take care of, but what about the conflicting group permissions?

I've been in cases like that.  On unix, you'd either end up making a new
group for that project that has the members of both devel and qa, and give
them all full access, or you end up giving full access to only devel, read
access to everybody else, and biting the bullet.  You could still create
another group that has members of both devel and qa, and then restrict the
next higher-up directory so that only group dev-qa has access and
"other/world" has no access, and then do some really funky permissions on
down the tree:

drwxr-xr-x	root	root	/
drwxrwx---	root	dev-qa	/projects
drwxrwsr-x	root	devel	/projects/program1

Here, if dev-qa contains both users from devel and qa, then you can do
what I mention above.  Big pain in the ass, and requires extra directories
in the path to get it working.  At this point, something like the
not-logged-in user is useless.  It's still neat, but only if I have guests
randomly walking in and playing with my servers/workstations.  In an
environment where this does not happen, I have no need for that extra set
of permissions.  I do have a need, however, for ACLs.  Especially, if
given this case, the manager of the applications development department,
who oversees the people in both devel and qa, but is a member of neither,
wanted to have permissions to look (read-only) at all these projects.

So, looks like I'll have to do a bit of studying on filesystem
structures...

-- 
Gregory Ade <gkade@bigbrother.net>
Find PGP public key at http://www.pgp.com (Key ID 0x63B57600)
#include <standard/disclaim.h>
procmail(1) is your friend.

Reply to:

References:
- Re: "Small" Bug - silly question again
  - From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: Re: "Small" Bug - silly question again
Next by Date: Re: "Small" Bug - silly question again
Previous by thread: Re: "Small" Bug - silly question again
Next by thread: Re: "Small" Bug - silly question again
Index(es):
- Date
- Thread