David Dyer-Bennet wrote:
On page 202 of the December 2008 Solaris ZFS Administration Guide, it says
the ACLs are processed in order. Then it says that an explicit allow ends
processing (or at least it says that a later deny can't override an
earlier allow).
But that's all it says; it doesn't really describe the interpretation
process completely. I certainly couldn't implement it from this! And I
can't figure out what my ACLs should mean from this.
In particular, does a matching deny entry also halt processing? Or does
processing continue, meaning that a later allow can override an earlier
deny?
An ACL is processed from top to bottom. A "deny" entry can't take away
an already granted "allow" nor can a "allow" take away an denied "deny"
entry.
For example:
user:joe:read_data/write_data:allow
user:joe:write_data:deny
In this case joe would be allowed read_data and write_data
whereas
user:joe:write_data/execute:deny
user:joe:read_data/write_data:allow
would deny "joe" the ability to execute or write_data, but joe could
still read the files data.
Once a bit has been denied only a privilege subsystem override can give
you that ability.
-Mark
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
