It seems to me that I would want to understand the answer to thisOn Sat, Jan 11, 2014 at 8:50 AM, Bob Goldberg <bobg.hahc@gmail.com> wrote:
>
> So - Is there a way to force ACL perms to dictate the effective rights??
question before I try to use ACLs. Which means that, if I had to use
ACLs for work, I would tell the boss I need a block of time to make a
set of throw-away users and groups to test the results of things, to
make sure that I understand the results I get.
(Bosses who can't accept that kind of answer aren't fit to be bosses,
but that observation only helps one to find a way to do the necessary
job without taking the undeserved insults to heart. Or to tell the
boss he can have his job if things get really, really bad.)
> FWIW:I don't think you are understanding your results. (But I may be wrong.
> it APPEARS to me that the acl access check algorithm will not allow this.
I don't use ACLs.)
> however - since the entire acl sub-system was "meant to increase granularityI may be wrong here, but how could ACLs override the native
> of permissions" - shouldn't acl ALWAYS override unix perms?
permissions system randomly without opening tons of new opportunities
for discovering vulnerabilities?
> is this a bug in8-o
> the ACL algorithm?
> === end of my question; begin additional info ===Do you understand why?
>
> because I KNOW someone will want to know why this is a problem - here's why,
> and I hope you're not sorry you asked !! :-)
>
> I'm using [openssh] internal-sftp to chroot users to their home dir.
> internal-sftp's chroot DEMANDS that all dir's leading to home MUST be
> root-owned, and NO g-w permissions !!
Managers sometimes make really unreasonable demands. And sometimes
> But my managers (members of group: chadm) must have full permissions in all
> sftp users' home dir's.
they make impossible demands.
Nevertheless, sudo offers a solution to that false problem that is far
more to the point. As long as you are careful not to take the easy
route and put all the managers in the (unix) sudo group (or wheel, or
root, etc.)
> So NEITHER my sftp user, NOR my managing group have write access to the homeAre you really sure your managers want to do that?
> directory !?!?
It's not sloppy, and it's only counter-intuitive to people who don't
> (yes, i know i can create another sub-dir they can get at, but i don't want
> to - that's sloppy, and un-intuitive.)
understand security. (IMO, perhaps, but I have pretty strong reasons
for saying so.)
*** MSWindows is a null argument. ***
> This SEEMS like such a simple task. And it PAINS me to no end, that this
> task would be relatively easy to implement under windoze - but seems
> impossible to solve under linux !!???
> ...sup w/ dat !?!?
>
(Do you understand why?)
Otherwise, take the time and go back and make sure that you understand
the results of your initial experiments, even if it means "service
overtime". (Or if the boss has been getting too much service overtime
from you, .... )