From owner-freebsd-security  Mon Aug 20  7:13: 1 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ntown.esper.com (ntown.esper.com [216.111.16.26])
	by hub.freebsd.org (Postfix) with ESMTP
	id 7DE7E37B40A; Mon, 20 Aug 2001 07:12:52 -0700 (PDT)
	(envelope-from kcross@ntown.com)
Received: from kjcwin2k (kcross.ntown.esper.com [216.111.19.212])
	by ntown.esper.com (8.11.4/8.11.4) with SMTP id f7KEK7E19166;
	Mon, 20 Aug 2001 10:20:07 -0400
Message-ID: <000f01c12982$321d68c0$0200a8c0@kjc2.com>
From: "Ken Cross" <kcross@ntown.com>
To: "Ilmar S. Habibulin" <ilmar@watson.org>
Cc: <freebsd-fs@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG>
References: <Pine.BSF.3.96.1010820093328.39779C-100000@fledge.watson.org>
Subject: Re: DENY ACL's
Date: Mon, 20 Aug 2001 10:12:49 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4522.1200
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

>
> > The particular case you show would work, but others won't.
>
> I think that the example given below is the result of badly formed
> security policy.

Not really.  There are real cases in large organizations where that
configuration is perfectly legitimate.  OTOH, it is often the result of
"quick-fix" solutions.  But that's the real world...

>
> > For example, suppose the user is a member of GroupA which is allowed
access
> > and also a member of GroupB which is denied access, e.g. "setfacl -m
> > g:GroupA:rwx,g:GroupB: file".  (There's no user-specific ACL.)
> > All "deny" ACL's must be checked first, so the user should be denied.
Under
> > the current scheme, I think the "best match" would allow access.
>
> Yes, user will have access to file, but why shouldn't he have it?

For whatever reason, the administrators decided to explicitly deny access to
GroupB.  By definition, that *must* be honored first.  I don't make the
rules, but I gotta live by them.  ;-)

Ken



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message