-ray wrote: > You can do things like this: For file.txt, willg and dustinp have > read/write access to it. the admin group and the wheel group have > read/write access to it. the users group only has read access to it. > User ray and brad, even though they're in the users group are explicitely > denied any access to the file. > > Try doing that with standard Unix permissions, without creating a new > group just for that file. When you have to do stuff like that for lots > and lots of files, standard Unix permissions fail miserably. And that's > not even mentioning inherited rights (or blocking inherited rights).
While it's great that the above is possible, the issue is that it is a pain to maintain. For one file, it's not that big of a deal, but to do that for any moderately sized organization, especially with turn-over -- you end up with permissions that were great 6 months ago, but don't match conditions today. In the above example, you'll probably have organizationally defined groups that comprise (willg, dustinp), (ray, brad), and (all users except (ray, brad)). You'll probably also have quite a few other network resources that require permissions based on those groups. So, you'll probably want to just add linus to the (willg, dustinp) group and billg to the (ray, brad) group, instead of hunting down a bunch of files to change permissions on. Kevin
