This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: group permissions


On 02/10/2015 02:21 AM, Corinna Vinschen wrote:
> o The other way to emulate writing an ACL_MASK entry would be to drop
>   permissions from all groups and secondary users so they match the
>   desired mask value.  This is secure, but in contrast to the other
>   solution it would change the secondary permissions permanently.
>   Changing the mask back would not change the permissions of the
>   secondary ACL entries back.

Possible enhancement on this idea (I have no clue if it would actually
work, though):

When rewriting ACE entries because of the just-added restrictive
ACL_MASK, put in some marker that mimics the default deny-all action,
then additional entries in the tail of the ACE list that shows the
pre-modified permissions that we just took away due to the mask.  If we
later loosen the mask, we can use the tail of entries to restore
original permissions.  And since the tail occurs after a catch-all deny,
they won't grant permissions in the meantime.  The trick then becomes
telling when we have stuck our marker in place to represent that we have
injected tail entries to reflect the state to restore if ACL_MASK is
relaxed.

> 
> I'm open to discuss this further.  It needs implementing, of course.

Always the case, and sadly, my lack of experience in this topic is
showing through.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]