On page 202 of the December 2008 Solaris ZFS Administration Guide, it says the ACLs are processed in order. Then it says that an explicit allow ends processing (or at least it says that a later deny can''t override an earlier allow). But that''s all it says; it doesn''t really describe the interpretation process completely. I certainly couldn''t implement it from this! And I can''t figure out what my ACLs should mean from this. In particular, does a matching deny entry also halt processing? Or does processing continue, meaning that a later allow can override an earlier deny? -- David Dyer-Bennet, dd-b at dd-b.net; http://dd-b.net/ Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/ Photos: http://dd-b.net/photography/gallery/ Dragaera: http://dragaera.info
David Dyer-Bennet wrote:> On page 202 of the December 2008 Solaris ZFS Administration Guide, it says > the ACLs are processed in order. Then it says that an explicit allow ends > processing (or at least it says that a later deny can''t override an > earlier allow). > > But that''s all it says; it doesn''t really describe the interpretation > process completely. I certainly couldn''t implement it from this! And I > can''t figure out what my ACLs should mean from this. > > In particular, does a matching deny entry also halt processing? Or does > processing continue, meaning that a later allow can override an earlier > deny? > >An ACL is processed from top to bottom. A "deny" entry can''t take away an already granted "allow" nor can a "allow" take away an denied "deny" entry. For example: user:joe:read_data/write_data:allow user:joe:write_data:deny In this case joe would be allowed read_data and write_data whereas user:joe:write_data/execute:deny user:joe:read_data/write_data:allow would deny "joe" the ability to execute or write_data, but joe could still read the files data. Once a bit has been denied only a privilege subsystem override can give you that ability. -Mark
Mark Shellenbaum wrote:> David Dyer-Bennet wrote: >> On page 202 of the December 2008 Solaris ZFS Administration Guide, it >> says >> the ACLs are processed in order. Then it says that an explicit allow >> ends >> processing (or at least it says that a later deny can''t override an >> earlier allow). >> >> But that''s all it says; it doesn''t really describe the interpretation >> process completely. I certainly couldn''t implement it from this! And I >> can''t figure out what my ACLs should mean from this. >> >> In particular, does a matching deny entry also halt processing? Or does >> processing continue, meaning that a later allow can override an earlier >> deny? >> >> > > An ACL is processed from top to bottom. A "deny" entry can''t take > away an already granted "allow" nor can a "allow" take away an denied > "deny" entry. > > For example: > > [snip] > > Once a bit has been denied only a privilege subsystem override can > give you that ability.Thanks, that''s what I guessed and what simple experiments seemed to show, but.... Happy to have it confirmed. So the list is processed top to bottom and the first definite answer is THE answer.