|
|
Subscribe / Log in / New account

The trouble with dropping groups

The trouble with dropping groups

Posted Nov 25, 2014 12:45 UTC (Tue) by Jandar (subscriber, #85683)
In reply to: The trouble with dropping groups by ortalo
Parent article: The trouble with dropping groups

It doesn't matter if it's counterintuitive to some, it is an old standard practise from times well before ACL (and Linux) existed. It's embarrassing I find it more natural than this newfangled ACL thing ;-).

to post comments

The trouble with dropping groups

Posted Dec 6, 2014 0:46 UTC (Sat) by Wol (subscriber, #4433) [Link] (3 responses)

Well, if linux acls are anything like windows acls then I find them thoroughly confusing too. Especially adding user and group rights. And negative rights.

The system I am used to is simple.

If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.

Okay, I then can't restrict a group of users, but it makes it dead easy for me to control what rights someone has over my project - if I give a user an explicit set of rights then their (possibly unknown to me) group rights are irrelevant.

The problem with adding user and group rights is it prevents an administrator delegating to a project manager the ability to manage his projects. Okay, the best way is proper group management but if the project manager doesn't know (and he may well not have access to) the list of groups his staff belong to, then my version gives him the ability to explicitly control access at the user level.

Cheers,
Wol

The trouble with dropping groups

Posted Dec 6, 2014 20:05 UTC (Sat) by bfields (subscriber, #19510) [Link] (2 responses)

If user acl then grant user rights else if group acl(s) then grant sum of group rights else grant default rights.

That's more or less what the "posix" acls supported by most linux filesystems do. (See the "ACCESS CHECK ALGORITHM" section in the acl(5) man page for details.) They don't have the explicit deny aces that windows acls do.

The trouble with dropping groups

Posted Dec 6, 2014 20:57 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

Not true. For POSIX ACLs only the most specific entry is evaluated:

> The ACL entries are looked at in the following order: owner, named users, (owning or named) groups, others. Only a single entry determines access. Step two checks if the matching entry contains sufficient permissions.
(c) http://users.suse.com/~agruen/acl/linux-acls/online/main....

This can be used (and often is!) for effectively negative ACLs.

The trouble with dropping groups

Posted Dec 6, 2014 22:44 UTC (Sat) by rleigh (guest, #14622) [Link]

I suppose this is one area where NFS4 ACLs are a much better solution than "POSIX" ACLs, since you can have an explicit deny in the ACEs. (I see your name on the nfs4_acl(5) manpage, so I assume you'll know the answer!)

At least when using ZFS/NFS4 with FreeBSD, it appears to have fully native support for NFS4 ACLs, while Linux doesn't appear to have support there at the moment (when testing using an NFS4 ZFS export). Are there any plans for support for NFS4 ACLs with Linux on native and remote filesystems?


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds