patch draft for extended attributes on linux

jw schultz jw at
Fri Jun 27 15:25:35 EST 2003

On Thu, Jun 26, 2003 at 11:43:40AM -0400, Carson Gaspar wrote:
> --On Thursday, June 26, 2003 1:16 AM -0700 jw schultz <jw at> wrote:
> >>Impossible with simple user/group permissions.
> >
> >Not impossible.  I've done that sort of thing many times.
> >
> >-rwxr-x---    1 charlie   cdab         3658 Jan 20 17:35 .
> >-rw-rw-r--    1 charlie   david        3658 Jan 20 17:35 the_file
> >Or so you don't need root to "chgrp david the_file"
> >-rw-rw-r--    1 charlie   charliedave  3658 Jan 20 17:35 the_file
> And how does the group charliedave get created? And what happens when you 
> need to add Ed to the list?

Just like all other groups.  I only called it that because
you did not define why this was only charlie and dave.  I
pity those who's permissions decisions are capricious.

> I cede the point of it being possible. That's what comes from writing 
> technical e-mail late at night ;-). It's still horrific and unmanageable.

Subjective.  I find no horror in it and easy to manage but
long ACLs the opposite.

> >You will find that most definitions of ACLs--including
> >POSIX--only allow you to grant access, not revoke it.
> Then those ACLs are just plain broken. Solaris ACLs definitely allow you to 
> revoke privileges (by granting mode 0000 to a user/group).

I did overstate it, my error.  You can block a user by
creating a matching ACL_USER entry.  Just be careful of
unintended consequences of a user matching  multiple
ACL_GROUP entries which are effectively ored.  And heaven
help you if something causes the ACLs to be dropped.

	J.W. Schultz            Pegasystems Technologies
	email address:		jw at

		Remember Cernan and Schmitt

More information about the rsync mailing list