LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The "impossible"

The "impossible"

Posted Nov 26, 2010 14:04 UTC (Fri) by Ross (subscriber, #4065)
Parent article: Ghosts of Unix past, part 3: Unfixable designs

The article says in reference to applying complex group-based permissions: "The simple is certainly simple, but the complex is truly impossible."

Clearly you haven't had to find a way to do it. :) There are a few different ways.

The easiest way to be able to apply permissions for more than one group is to create many additional groups which are unions of the others by putting the users in them. Yes, now you get to maintain these. It's best to write a tool to generate them.

If you want intersections you can do that with groups too, or by nesting subdirectories and applying the traversal permissions for each group to those.

But what if you want to mix read permission for one set of groups with write permission for another?

Well, you have to use the file's real write bit and group owner for the write permission since that's the only way to control it traditionally. Then use the parent directory's permissions to prevent read access from anyone not in the second set of groups and set the file's world-readability bit.

If you want to grant execute permission to a third set of groups -- that's a problem. That one really is impossible but execute doesn't mean much if you can read something (and it's not suid or sgid).

Please don't think I'm saying any of that is nice or preferable to POSIX or Windows ACLs, because it clearly sucks horribly for so many use cases, but it does should that it is possible to apply read/write permissions to arbitrary sets of groups if you're willing to deal with this kind of setup.

(Log in to post comments)

The "impossible"

Posted Nov 26, 2010 22:23 UTC (Fri) by neilbrown (subscriber, #359) [Link]

If you actually had to implement something like this - which the second line seems to suggest, you have my sympathies!

Yes: it does seem that it was a slight over-statement to say "impossible". If you have unlimited groups per user, allow users to create their own groups, and don't worry too much about giving new access to already-running processes, then many complex things are indeed possible.

Maybe we need a different maxim: "simple things should be simple, complex things shouldn't drive you insane" !

Thanks for your thoughts.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds