patch draft for extended attributes on linux
jw at pegasys.ws
Fri Jun 27 15:25:35 EST 2003
On Thu, Jun 26, 2003 at 11:43:40AM -0400, Carson Gaspar wrote:
> --On Thursday, June 26, 2003 1:16 AM -0700 jw schultz <jw at pegasys.ws> wrote:
> >>Impossible with simple user/group permissions.
> >Not impossible. I've done that sort of thing many times.
> >-rwxr-x--- 1 charlie cdab 3658 Jan 20 17:35 .
> >-rw-rw-r-- 1 charlie david 3658 Jan 20 17:35 the_file
> >Or so you don't need root to "chgrp david the_file"
> >-rw-rw-r-- 1 charlie charliedave 3658 Jan 20 17:35 the_file
> And how does the group charliedave get created? And what happens when you
> need to add Ed to the list?
Just like all other groups. I only called it that because
you did not define why this was only charlie and dave. I
pity those who's permissions decisions are capricious.
> I cede the point of it being possible. That's what comes from writing
> technical e-mail late at night ;-). It's still horrific and unmanageable.
Subjective. I find no horror in it and easy to manage but
long ACLs the opposite.
> >You will find that most definitions of ACLs--including
> >POSIX--only allow you to grant access, not revoke it.
> Then those ACLs are just plain broken. Solaris ACLs definitely allow you to
> revoke privileges (by granting mode 0000 to a user/group).
I did overstate it, my error. You can block a user by
creating a matching ACL_USER entry. Just be careful of
unintended consequences of a user matching multiple
ACL_GROUP entries which are effectively ored. And heaven
help you if something causes the ACLs to be dropped.
J.W. Schultz Pegasystems Technologies
email address: jw at pegasys.ws
Remember Cernan and Schmitt
More information about the rsync