On Sat, Apr 19, 2003 at 02:00:07AM -0400, Brett I. Holcomb wrote:
> So what is the purpose of granting someone, say user A rwx permissons if the
> mask will only allow r---? I thought the ACL entry would override the mask.
well there isn't much of one really, unless you anticipated wanting to
grant rwx permission to a few of these users at a future time, then
all you need to do is change the mask and they all immediatly get the
access.
the purpose of the mask is explained best in the posix acl draft.
basically its purpose is to maintain the ability to easily control
access with chmod, rather then being stuck in acl-hell like NT.
when you apply acls the normal group permissions as far as ls and
chmod are concerned now reflect the mask, not the group perms
(personally i think it should control both simultaneously...). this
way if you do a chmod 600 file, you except that all but the owners
access to this file are revoked, with the way masks work now this is
true, if there was not a mask then you would THINK you revoked all
access to the file, but you really would not have due to the
semi-hidden acl entries (they are not directly shown by ls -l).
again the posix draft explains it better then i do, the idea is sound
and makes good sense (it maintains the easy to administer unix
permissions model, while allowing acls to coexist sanely). the only
gripe i have with it is once you have acls which create a mask, its no
longer possible to manipulate the group permissions with chmod, you
have to use setfacl, i think an easy and sensible way to solve that is
have chmod() set both mask and primary group perms, i think this would
not be unexpected behavior (i find it unexpected that the group perms
can't be changed by chmod anymore...).
--
Ethan Benson
http://www.alaska.net/~erbenson/
pgpahRa8Ub6sg.pgp
Description: PGP signature
|