>>>>> "nw" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
nw> What could we do to make it easier to use ACLs?
1. how about AFS-style ones where the effective permission is the AND
of the ACL and the unix permission? You might have to combine this
with an inheritable-by-subdirectories umask setting so you could
create ACL-dominated lands of files that are all unix 777, but this
would stop clobbering difficult-to-recreate ACL's as well as
unintended information leaking.
2. define a standard API for them, add ability to replicate them to
the GNU tools everyone else uses: GNUtar, rsync, and the fileutils
(not the Solaris private versions full of weird options that can't
handle large files or long pathnames, and not the Joerg Shilling
tool), and *GET THE CHANGES MERGED UPSTREAM* so that as other OS's
start supporting NFSv4, the same code is working over the ACL's
everywhere.
Maybe we're beyond the point of no return for the first suggestion.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL:
<http://mail.opensolaris.org/pipermail/security-discuss/attachments/20100226/51894db7/attachment.bin>
