"Paul B. Henson" <hen...@acm.org> writes: > On Fri, 26 Feb 2010, David Dyer-Bennet wrote: >> I think of using ACLs to extend extra access beyond what the >> permission bits grant. Are you talking about using them to prevent >> things that the permission bits appear to grant? Because so long as >> they're only granting extended access, losing them can't expose >> anything. > > Consider the example of creating a file in a directory which has an > inheritable ACL for new files:
why are you doing this? it's inherently insecure to rely on ACL's to restrict access. do as David says and use ACL's to *grant* access. if needed, set permission on the file to 000 and use umask 777. > drwx--s--x+ 2 henson csupomona 4 Feb 27 09:21 . > owner@:rwxpdDaARWcC--:-di---:allow > owner@:rwxpdDaARWcC--:------:allow > group@:--x---a-R-c---:-di---:allow > group@:--x---a-R-c---:------:allow > everyone@:--x---a-R-c---:-di---:allow > everyone@:--x---a-R-c---:------:allow > owner@:rwxpdDaARWcC--:f-i---:allow > group@:--------------:f-i---:allow > everyone@:--------------:f-i---:allow > > When the ACL is respected, then regardless of the requested creation > mode or the umask, new files will have the following ACL: > > -rw-------+ 1 henson csupomona 0 Feb 27 09:26 foo > owner@:rw-pdDaARWcC--:------:allow > group@:--------------:------:allow > everyone@:--------------:------:allow > > Now, let's say a legacy application used a requested creation mode of > 0644, and the current umask was 022, and the application calculated > the resultant mode and explicitly set it with chmod(0644): why is umask 022 when you want 077? *that's* your problem. -- Kjetil T. Homme Redpill Linpro AS - Changing the game _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
