Corinna Vinschen wrote: > Yep. But as far as I'm concerned we should drop that part of your > patch until I could update ssh.
What about putting it in with #if 0 ? It will then be easier to turn it on when ssh is ready. Alternatively I could add it, but add a check for group sid is SYSTEM, and then skip the step. That would be very easy to do, and to remove later when ssh is ready. I like this best actually. > > It's not a group_deny, it's an owner deny (which would go on top, so canonical > > order is OK here). > > Oops, thick fingers... > > > Also if the owner is not in the group when alloc_sd is called, and is placed > > in the group later, then the owner access mode of the file would change, which > > isn't POSIX. > > Let's look at it from another angle: what is gained by going through the trouble > > of calling is_grp_member and possibly omitting the owner_deny? > > Since is_grp_member() isn't that slow anymore, what does it hurt to > get the situation right in the first place? I'm somehow more and more > convinced that this is just a matter of taste. As far as I can see there is absolutely no advantage to calling is_grp_member() in alloc_sd() and by potentially omitting the owner_deny we are making the situation worse! So here I am insistent! > > The non canonical order is produced when the group has less permission > > than everyone, which I agree is unlikely. > > Yeah, my mind was on another issue. Time for weekend. > > > It's 100% OK with me to give preference to being nice! > > Ok. I'm really sorry that I'm making your live that hard but I assume > you know that I'm just trying to find something as a best solution (if > that's at all possible). Sure, and it's reciprocal. By the way could you ask your friend if large organizations really use deny ACEs? Are there tools that insert them in ACLs? Have a relaxing weekend! Pierre
