[Tfug] Ideas for handling group based allow/deny permissions?
Choprboy
choprboy at dakotacom.net
Wed Jun 23 18:41:05 MST 2004
On Wednesday 23 June 2004 16:21, elemint at theriver.com wrote:
> What about something like this?
>
http://www.linuxsecurity.com/resource_files/host_security/trustees-quickstart.html
>
> But I do not think it will solve the anding problem where someone is a in
> one group that allows read and another that is denied.
>
> What about having the groups without read and without write as apposed to
> deny would that achive the same thing they would not have the permission
> to read and write but they would not have the all powerful deny, what do
> you think?
>
Hmm, well, looking at Linux ACLs, according to the statement of algorithm, if
you are explicity denied through any group, you are denied absolutely. Only
if you are not explicitly denied does a review of potential allows occur.
I'm not quite sure I understand what you meant in that second statement. I
think you meant that no specific users have the right to deny other groups.
Groups are by default, without explicit allows (i.e. you can only grant
permissions to others). The first shows the exact example I was taking about,
the second doesn;t allow you to deny/revoke subsets of users from larger sets
(which might well be far easier than allowing multiple subsets).
Looking at Oracle ACLs, they look somewhat like a cross between what I was
thinking and Linux ACLs. Groups can have specific permissions given or
removed and then specific users can be denied. Order makes a difference (i.e.
being a member of one group gives you permission, but a later group
membership removes that permission) which makes sorting the "priority" group
memberships a pain.
I started thinking about trying to manage permissions groups by level, i.e.
"marketing", "sales", "management", "HR" are all subgroups of "employees". So
if you allowed "employees" but denied "sales", someone who was in "sales",
but also "management" would be allowed because they have a greater overall
standing in the "employees" group... or something like that...
Adrian
More information about the tfug
mailing list