Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 05 Feb 2018 15:16:22 +0000
From:      Frank Leonhardt <freebsd-doc@fjl.co.uk>
To:        Freebsd Questions <freebsd-questions@freebsd.org>
Subject:   ACL trouble
Message-ID:  <634f440c0ab99f5c49bf592a6e796789@roundcube.fjl.org.uk>

next in thread | raw e-mail | index | archive | help
I know there is more than one flavour of ACL but in general...

Imagine you have two groups - one "accounts" and another "dodgy". If it 
helps you could even have a third - "notdodgy" - which contains all the 
users not in "dodgy".

You have a resource, called "master-file". This must be accessible to 
everyone in accounts EXCEPT for those also in the dodgy group. That'a 
right - you have some dodgy accountants.

How do you do this?

The problem with ACLs, as I understand them, is that the system will 
search through until it finds an "allow" condition and only return 
"deny" if it completely fails. In other words, Group1 OR Group2 = Allow. 
I want a condition that says Group1 AND Group2 = Allow.

If this beyond what ACLs can do I have a clunky Plan B: a cron job that 
will maintain a third group called "notdodgyaccounts" and use that as a 
group owner "master-file", avoiding ACLs completely. But I thought ACLs 
were supposed to be the answer to everything.

Am I missing something?

Thanks, Frank.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?634f440c0ab99f5c49bf592a6e796789>