Re: DENY ACL's
From: Ken Cross (kcross@ntown.com)
Date: 08/20/01
- Next message: Mark Rowlands: "Re: Would like suggestion for an app to write IPFW rules..."
- Previous message: Ilmar S. Habibulin: "Re: DENY ACL's"
- In reply to: Ilmar S. Habibulin: "Re: DENY ACL's"
- Next in thread: Chris BeHanna: "Re: DENY ACL's"
- Reply: Chris BeHanna: "Re: DENY ACL's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Ken Cross" <kcross@ntown.com> To: "Ilmar S. Habibulin" <ilmar@watson.org> Date: Mon, 20 Aug 2001 10:12:49 -0400
>
> > The particular case you show would work, but others won't.
>
> I think that the example given below is the result of badly formed
> security policy.
Not really. There are real cases in large organizations where that
configuration is perfectly legitimate. OTOH, it is often the result of
"quick-fix" solutions. But that's the real world...
>
> > For example, suppose the user is a member of GroupA which is allowed
access
> > and also a member of GroupB which is denied access, e.g. "setfacl -m
> > g:GroupA:rwx,g:GroupB: file". (There's no user-specific ACL.)
> > All "deny" ACL's must be checked first, so the user should be denied.
Under
> > the current scheme, I think the "best match" would allow access.
>
> Yes, user will have access to file, but why shouldn't he have it?
For whatever reason, the administrators decided to explicitly deny access to
GroupB. By definition, that *must* be honored first. I don't make the
rules, but I gotta live by them. ;-)
Ken
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Next message: Mark Rowlands: "Re: Would like suggestion for an app to write IPFW rules..."
- Previous message: Ilmar S. Habibulin: "Re: DENY ACL's"
- In reply to: Ilmar S. Habibulin: "Re: DENY ACL's"
- Next in thread: Chris BeHanna: "Re: DENY ACL's"
- Reply: Chris BeHanna: "Re: DENY ACL's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
