--On Thursday, June 26, 2003 1:16 AM -0700 jw schultz <[EMAIL PROTECTED]> wrote:
Impossible with simple user/group permissions.
Not impossible. I've done that sort of thing many times.
-rwxr-x--- 1 charlie cdab 3658 Jan 20 17:35 . -rw-rw-r-- 1 charlie david 3658 Jan 20 17:35 the_file Or so you don't need root to "chgrp david the_file" -rw-rw-r-- 1 charlie charliedave 3658 Jan 20 17:35 the_file
And how does the group charliedave get created? And what happens when you need to add Ed to the list?
I cede the point of it being possible. That's what comes from writing technical e-mail late at night ;-). It's still horrific and unmanageable.
You will find that most definitions of ACLs--including POSIX--only allow you to grant access, not revoke it.
Then those ACLs are just plain broken. Solaris ACLs definitely allow you to revoke privileges (by granting mode 0000 to a user/group).
My point is that i'm not going to anguish over broken regimens that use xattrs to tighten the security.
Broken? Hardly. Default deny is a good philosophy in general, but is not practical in many cases. Simple example from the real world - you have a set of untrusted users (say, vendor support accounts) and you want to lock down certain sensitive information on the box so they can't see it. You either have to maintain a good users list, with every account in the firm in it, and keep it up to date, or you can just deny access to the static, small, bad users list.
Another counter example is the immutable flag. It definitely revokes permissions.
ACLs and capabilities should be used to grant, not revoke. That way if something happens that looses or disables xattrs your system is not compromised. Further by applying the xattrs last you ensure that the file is intact with correct ownership before enabling anything.
Sadly, the way ACLs and simple permissions interact is _very_ OS specific. The correct order to apply permissions will vary by platform. Under Solaris, acl()/facl() set the default user/group/other perms as part of the ACL, so there's no ordering drama. If this isn't the case in other implementations, the right thing is probably:
- Create temp file mode 000 (or 200 if necessary) - Change perms to 000 (if necessary) - Change owner / group - Change ACL / xattr - Change simple perms - Rename file
If the ACL grants access, no problem. If the ACL revokes access, no problem.
Of course, if there is an xattr that will forbid renaming the file, or forbid changing the file's permissions, you're in trouble. But then you're screwed anyway, because you have to rename the file into place before setting the xattr, leaving a window with the file in existence with incorrect permissions.
-- Carson
-- To unsubscribe or change options: http://lists.samba.org/mailman/listinfo/rsync Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
