On Wed, 17 Dec 2008, Erik Dalén wrote:
On Wed, Dec 17, 2008 at 03:09, Stephen Joyce <[email protected]> wrote:
On Tue, 16 Dec 2008, Tom Maher wrote:
What's the semantics for negative ACLs? For example,
fs sa . system:authuser rl
fs sa . badguy +rl -negative
I'm guessing that'll give badguy negative "rl" bits.
Makes sense to me.
Should 'fs sa . badguy -rl' implicitly give him negative "rl" bits, if
he doesn't have anything already?
That doesn't make sense to me. I'd suggest that -<perm> should never add
permissions, only remove. So it should just clear the perms if they're set
and do nothing if not. To add the negative flags, do what you suggested
above.
My $0.02.
Sounds very reasonable to me. My vote for implementing it like this.
Still doesn't feel devoid of ambiguity, though:
fs sa . user +rl -negative # sets negative bits
fs sa . user -rl -negative # takes away negative bits?
fs sa . user -rl # takes away both negative and positive bits?
# or positive only? what about neg. then?
To add more confusion, I find another model conceivable:
fs sa . user +a # always removes negative bit, adds positive bit
fs sa . user -a # always sets negative bit, removes positive bit
the drawbacks being painfully obvious.
In all, with ACLs having one degree of higher complexity than unix
permissions, there probably is no way to make this syntax 100% intuitively
akin to chmod's.
Thus, the original proposal to use postfix +/- might communicate the
distinction?
Regards
Felix
