Subject: Re: ACLs and groups - am I being silly?
To: Lucio De Re <lucio@proxima.alt.za>
From: Roger Brooks <R.S.Brooks@liverpool.ac.uk>
List: tech-kern
Date: 03/13/2001 14:42:53
On Tue, 13 Mar 2001, Lucio De Re wrote:

>The consensus seems to be that the inflexibility of groups make it
>essential to bring ACLs into the NetBSD filesystem picture.
>
>Is it totally unthinkable to extend in some - not necessarily
>compatible - fashion the concept of "group" attached to a file
>object such that it in fact represents a unique ACL?  If we assume
>that groups and ACLs are mutually incompatible, we have no need to
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>layer anything, we just need a selector between one model and the
>other.

I'm afraid this isn't true -- at least not in the Solaris implementation,
(and AFAIR the DYNIX implementation).

As I understand it, the normal Unix permission bits are checked first,
and if they allow access the ACL is never examined.  Only if the file mode
bits deny access is the ACL tested to see if that allows access.

And IMHO a NetBSD ACL implementation which wouldn't interwork over NFS
with Solaris (both ways) would be extremely silly.


Roger

------------------------------------------------------------------------------
Roger Brooks (Systems Programmer),          |  Email: R.S.Brooks@liv.ac.uk
Computing Services Dept,                    |  Tel:   +44 151 794 4441
The University of Liverpool,                |  Fax:   +44 151 794 4442
PO Box 147, Liverpool L69 3BX, UK           | 
------------------------------------------------------------------------------