Andrew Deason <[email protected]> writes: > Russ Allbery <[email protected]> wrote:
>> It's not as important as being able to block system:anyuser, but yes, >> I'd ideally like to be able to block arbitrary PTS groups from being >> added to ACLs with "all" or "write" access. > Thanks for being the first to speak up, but I want to make clear that > this sub-thread was specifically about system:authuser restrictions, > since it's kind of a special case. Blocking "arbitrary PTS groups" from > getting certain rights in ACLs has issues. I don't see much utility in blocking system:authuser specifically. system:anyuser is the low-hanging fruit. Outside of system:anyuser, I think the next meaningful level of feature is blocking arbitrary admin-specified groups or users from being given write or admin access. I don't think system:authuser is sufficiently interesting to be worth a lot of attention outside of supporting arbitrary restrictions. > The thing is, for the non-special groups (i.e. most groups), blocking a > specific group people.foo in an ACL doesn't do much. Since you can just > 'pts add people.foo adeason:foo', and then put adeason:foo in the ACL. > Unless we also change the permissions of supergroup creation or > something, there's not really a way around that. That's okay. I don't need something that can't be worked around, just something that catches users who don't knowo what they're doing. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
