Relative vs. absolute ACLs, and necessity for '-' when printing
Casey Schaufler
casey at sgi.com
Mon Dec 18 17:49:28 GMT 2000
Robert Watson wrote:
>
> Two quickies:
>
> 1) The POSIX.2c setfacl spec refers to "absolute" and "relative" ACLs. In
> permission-land, the difference has to with the use of an operator ('-',
> '+') rather than specification of a mode directly. In ACLs, I would guess
> it involves invidual entries in the ACL using operators rather than
> absolutely specifying the rights, but I was unable to find this definition
> in .1e or .2c Could someone point me in the right direction?
The intention is for setfacl("u:casey:-w") to delete Casey's write
access to the file.
> 2) The .2c getfacl specification states that a given right letter ("w",
> for example) "may" be replaced by a "-" if the right is not present.
Thus, o::x, o::-x, o::--x ougth to be eqivalent. In Irix we
let you toss a '-' in anywhere you want, and don't require
the access mode specifications to be in any particular order.
Thus, o::rw, o::r-w, o::rw-, o::---------w--------r---------- are
all legal, and equivalent.
I still bemoan the fact that you can't specify an octal digit.
> It strikes me that setfacl is a fairly unfortunate and over-burdened set
> of functionality, and that it's also rather hard to implement given the
> ACL editing library.
I personally believe that the whole thing is unnessesary. We
don't have it in Irix, and no one's complaining. There just
aren't that many applications which manipulate ACLs, and
the acl_{from,to}_text() pair is good enough for most of them.
> Earlier on the list, Andreas and I discussed an
> acl_from_text_with_flags()
Is it really necessary?
--
Casey Schaufler Manager, Trust Technology, SGI
casey at sgi.com voice: 650.933.1634
casey_p at pager.sgi.com Pager: 888.220.0607
To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message
More information about the posix1e
mailing list