On 17 Mar 2000, Niels M�ller wrote: > As a concrete example, say you want to limit write access to the file > /games/nethack/lib/nethackdir/record to members of the group games. > And that you, at the same time, want to grant read access to everybody > but guests. How would you do that?
ACLs!!! =) yes, I have run into that particular situation myself many times, and wished for a way to do things like that. What happens, though, when you want, say, group devel to have full access to a file (project, directory, whatever), group qa to have only read (execute) access, and nobody else? Well, the everybody else is easy to take care of, but what about the conflicting group permissions? I've been in cases like that. On unix, you'd either end up making a new group for that project that has the members of both devel and qa, and give them all full access, or you end up giving full access to only devel, read access to everybody else, and biting the bullet. You could still create another group that has members of both devel and qa, and then restrict the next higher-up directory so that only group dev-qa has access and "other/world" has no access, and then do some really funky permissions on down the tree: drwxr-xr-x root root / drwxrwx--- root dev-qa /projects drwxrwsr-x root devel /projects/program1 Here, if dev-qa contains both users from devel and qa, then you can do what I mention above. Big pain in the ass, and requires extra directories in the path to get it working. At this point, something like the not-logged-in user is useless. It's still neat, but only if I have guests randomly walking in and playing with my servers/workstations. In an environment where this does not happen, I have no need for that extra set of permissions. I do have a need, however, for ACLs. Especially, if given this case, the manager of the applications development department, who oversees the people in both devel and qa, but is a member of neither, wanted to have permissions to look (read-only) at all these projects. So, looks like I'll have to do a bit of studying on filesystem structures... -- Gregory Ade <[EMAIL PROTECTED]> Find PGP public key at http://www.pgp.com (Key ID 0x63B57600) #include <standard/disclaim.h> procmail(1) is your friend.
