Re: About the login shell

To: Tom Hart <hartte13@BrandonU.CA>
Cc: Marcus.Brinkmann@ruhr-uni-bochum.de, debian-hurd@lists.debian.org
Subject: Re: About the login shell
From: Lionel Elie Mamane <lionel@mamane.lu>
Date: Wed, 21 Aug 2002 08:33:24 +0200
Message-id: <[🔎] 20020821063323.GA14527@home.mamane.lu>
In-reply-to: <[🔎] 3D626E17.4@brandonu.ca>
References: <[🔎] 20020819222034.GH5453@212.23.136.22> <[🔎] 87vg66ebm4.fsf@gryffindor.sc> <[🔎] 20020819230615.GI5453@212.23.136.22> <[🔎] 87r8gue8pw.fsf@gryffindor.sc> <[🔎] 20020819234836.GJ5453@212.23.136.22> <[🔎] 20020820011549.GA3858@aragorn> <[🔎] 20020820011522.GA7193@212.23.136.22> <[🔎] 20020820152812.GA822@aragorn> <[🔎] 20020820161009.GB6686@home.mamane.lu> <[🔎] 3D626E17.4@brandonu.ca>

On Tue, Aug 20, 2002 at 11:28:07AM -0500, Tom Hart wrote:

> ACL's (Access Control Lists, for those who haven't heard the term
> before), allow the administrator to have more fine-grained control
> over access to the system.

> However, the only system I'm familiar with that uses them is Windows
> NT/2K/XP.

Maybe I should describe what I know of the ACL's implemented on top of
Unix then: I had some experience with a Solaris system, and I heard
that the (since withdrawn) POSIX ACL draft was very close to this.

It is much more simple than the NT ACL's:

There are 6 types of entries:

 - (user | group) owner permissions
 - other users permissions
 - one specific (user|group) permissions
 - the mask

Directories can additionally contain so-called "default values", that
is the ACL file created in this directory will contain initially. It
is unclear to me how this interacts with the umask (maybe the mask is
set to the umask).

An user has permission to do something if ANY entry of this file's ACL
gives him permission (modulo the mask, see below). So permissions are
cumulative: when you give a group permissions, you give it to all its
users, no exception. you can't say "all the 'staff' group has write
access, but not johndoe, even if he is member of the 'staff'
group". And only this file's ACL matters. There is no concept of
inheritance.

The mask is the maximal authorisations anyone (except the user owner)
can have. So the effective authorisations applying to an user is:

(bitwise or of all ACL entries that apply to him) bitwise and (the mask)

Does this "version" of ACL's calm your fears of ACL's being
"unintuitive"?

-- 
Lionel

Reply to:

Follow-Ups:
- Re: About the login shell
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Re: About the login shell
  - From: Tom Hart <hartte13@BrandonU.CA>
- Re: ACLs {Was: About the login shell}
  - From: Michal 'hramrach' Suchanek <hramrach_l@centrum.cz>

References:
- Re: About the login shell
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: About the login shell
  - From: Moritz Schulte <moritz@duesseldorf.ccc.de>
- Re: About the login shell
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: About the login shell
  - From: Moritz Schulte <moritz@duesseldorf.ccc.de>
- Re: About the login shell
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: About the login shell
  - From: Robert Millan <zeratul2@wanadoo.es>
- Re: About the login shell
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: About the login shell
  - From: Robert Millan <zeratul2@wanadoo.es>
- Re: About the login shell
  - From: Lionel Elie Mamane <lionel@mamane.lu>
- Re: About the login shell
  - From: Tom Hart <hartte13@BrandonU.CA>

Prev by Date: Re: I cant boot GNU/Hurd (i386)
Next by Date: Re: About the login shell
Previous by thread: Re: About the login shell
Next by thread: Re: About the login shell
Index(es):
- Date
- Thread