On Sun, 28 Feb 2010, Kjetil Torgrim Homme wrote: > why are you doing this? it's inherently insecure to rely on ACL's to > restrict access. do as David says and use ACL's to *grant* access. if > needed, set permission on the file to 000 and use umask 777.
Umm, it's inherently insecure to rely on Access Control Lists to, well, control access? Doesn't that sound a bit off? The only reason it's insecure is because the ACL's don't stand alone, they're propped up on a legacy chmod interoperability house of cards which frequently falls down. > why is umask 022 when you want 077? *that's* your problem. What I want is for my inheritable ACL's not to be mixed in with legacy concepts. ACL's don't have a umask. One of the benefits of inherited ACL's is you don't need to globally pick "022, let people see what I'm up to" vs "077, hide it all". You can just create files, with the confidence that every one you create will have the appropriate permissions as configured. Except, of course, when they're comingled with incompatible security models. Basically, it sounds like you're arguing I shouldn't try to fix ACL/chmod issues because ACL's are insecure because they have chmod issues 8-/. -- Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/ Operating Systems and Network Analyst | hen...@csupomona.edu California State Polytechnic University | Pomona CA 91768 _______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
