On 3/19/06, Marcus Brinkmann <[EMAIL PROTECTED]> wrote: > At Sun, 19 Mar 2006 17:58:16 -0500, > Thomas Schwinge <[EMAIL PROTECTED]> wrote: > > > > On Sun, Mar 19, 2006 at 11:17:48PM +0100, Marcus Brinkmann wrote: > > > But what corresponds to the Unix group concept? I have identified two > > > semantic uses for a "group": > > > > > > 1) Sharing information and authorization. Ie, allow communication > > > among users of the same group. > > > > > > 2) Provide durable storage that is not associated with any particular > > > member of the group. > > > > 3) Hindrance of the above. > > > > #v+ > > $ groups > > users foo > > $ ls -l /tmp/not-for-fooers > > -rw----rw- 1 thomas foo 0 Mar 19 23:45 /tmp/not-for-fooers > > $ cat /tmp/not-for-fooers > > cat: /tmp/not-for-fooers: Permission denied > > #v- > > I'm disgusted! > > > I don't know if there's a real-world example of this facility being used, > > though. > > I sincerely hope there isn't. Otherwise it would rank very high in my > list of horrible Unix idiosyncrasies. > > In a capability system, the right way not to share something is, uhm, > not to share it, of course.
What if I have secret surprise party plans for John who works on 5th floor and everyone on that floor is invited. Everyone in the 5th_floor group should be able to read them *except* for John. I could make a group 5th_floor_except_john, but that would require a lot of extra work. You would replace John with the consulting group that is leaving. As a side note, this very same problem appears in logic programming (e.g. MiniKamren, Prolog). A "well designed" program should only be making assertions about true relationships (e.g. John [is_father_of] Mary, x [unifies_with] y), and never making assertions about false relationships (e.g. x [! is_father_of] x, x [never_equals] y). However, when the set of objects is unbounded this becomes difficult. In particular, it is (almost?) impossible to write a correct lambda calculus interpreter (in logic programming) without never_equals (extra nonsense solutions appear if you don't use never_equals (e.g. (((lambda (x) (lambda (x) x)) 1) 2)) results in both 2 (correct) and 1 (incorrect))). Bottom line is that we don't like negative assertions (deny permissions) but sometimes they are necessary. Just some thoughts, Michael D. Adams [EMAIL PROTECTED] _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
