Proposal to allow owning group to edit ACLs

[Carlos Eduardo Pedroza Santiviago]

I've been playing around with ACLs/set(u/g)id bits and other stuff, and i was
able to achieve "modification only" to certain files, with sticky bit set in
its parent directory...

The user "root" is only an example, and of course the user in question should
have an SID equiv.

Example:
cadu at amnesia:~$ ls -ld test
drwxrws--T+ 2 root root 72 2005-07-20 09:32 test
(3770 unix mode)

cadu at amnesia:~$ getfacl test
# file: test
# owner: root
# group: root
user::rwx
user:cadu:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:cadu:rwx
default:group::rwx
default:mask::rwx
default:other::---

So, the user "cadu" has teorically "full rights" on the directory itself (and,
without sticky bit, he can erase things!!). And,

cadu at amnesia:~/test$ ls -ld testfile
-rw-rw----+ 1 root root 0 2005-07-20 09:35 testfile

cadu at amnesia:~/test$ getfacl testfile
# file: testfile
# owner: root
# group: root
user::rw-
user:cadu:rwx                   #effective:rw-
group::rwx                      #effective:rw-
mask::rw-
other::---

So cadu can write to "testfile":

cadu at amnesia:~/test$ echo "hi" >> testfile
cadu at amnesia:~/test$ ls -l testfile
-rw-rw----+ 1 root root 3 2005-07-20 09:36 testfile

However, he cannot delete it, since the sticky bit exists in the directory,
and he is not the owner of the file.

cadu at amnesia:~/test$ rm testfile
rm: imposível remover `testfile': Operação não permitida

I did this because there's some cases where you need to allow users to
modificate some files, but not delete them.

Could this somehow be used to allow "modification only" management through
windows machines?

Thanks.

-- 
Carlos Eduardo Pedroza Santiviago
Analista de Suporte
<carlos at prognus.com.br>

Prognus Soluções Livres em TI
http://www.prognus.com.br
+55 45 3520-5867