>On Fri, Jul 03, 2009 at 05:45:14AM -0700, Casper Dik wrote: >> This project proposes two new "basic" privileges. >> >> FILE_READ >> Allows a process to read a file or directory whose >> permission or ACL allow the process read permission. >> >> FILE_WRITE >> Allows a process to write a file or directory whose >> permission or ACL allow the process write permission. > >Does not having basic file privileges affect a process' ability to >receive, via IPC, open file descriptors with contrary access?
No. >It might be useful to have a way to grant a process read and/or write >access to specific objects while still denying it the right to do so in >general. The simplest way to do that that I can imagine is by adding an >additional pair of basic file privileges that apply only to files in the >current directory (not following symlinks) and, perhaps, below. See, e.g., PSARC 2008/109 Casper
