[Tfug] Ideas for handling group based allow/deny permissions?

Iketo iketo at cox.net
Wed Jun 23 19:03:25 MST 2004 

May I point out a (im)perfect example?  Win2000 Networking permissions &
NTFS Permissions.

Both basically state if an implicit deny, you are not allowed access (Group
B is not allowed to access Group A do to an implicit deny). If there is no
permission set, then the most restricitve applies (Group C is allowed to see
Group A, but is cannot "see" Group B because they are not marked as able,
but Group A can "see" Group C because they have been allowed)

I know, MS again... ;)

----- Original Message ----- 
From: "Choprboy" <choprboy at dakotacom.net>
To: "Tucson Free Unix Group" <tfug at tfug.org>
Sent: Wednesday, June 23, 2004 6:41 PM
Subject: Re: [Tfug] Ideas for handling group based allow/deny permissions?


> On Wednesday 23 June 2004 16:21, elemint at theriver.com wrote:
> > What about something like this?
> >
>
http://www.linuxsecurity.com/resource_files/host_security/trustees-quickstart.html
> >
> > But I do not think it will solve the anding problem where someone is a
in
> > one group that allows read and another that is denied.
> >
> > What about having the groups without read and without write as apposed
to
> > deny would that achive the same thing they would not have the permission
> > to read and write but they would not have the all powerful deny, what do
> > you think?
> >
>
> Hmm, well, looking at Linux ACLs, according to the statement of algorithm,
if
> you are explicity denied through any group, you are denied absolutely.
Only
> if you are not explicitly denied does a review of potential allows occur.
>
> I'm not quite sure I understand what you meant in that second statement. I
> think you meant that no specific users have the right to deny other
groups.
> Groups are by default, without explicit allows (i.e. you can only grant
> permissions to others). The first shows the exact example I was taking
about,
> the second doesn;t allow you to deny/revoke subsets of users from larger
sets
> (which might well be far easier than allowing multiple subsets).
>
> Looking at Oracle ACLs, they look somewhat like a cross between what I was
> thinking and Linux ACLs. Groups can have specific permissions given or
> removed and then specific users can be denied. Order makes a difference
(i.e.
> being a member of one group gives you permission, but a later group
> membership removes that permission) which makes sorting the "priority"
group
> memberships a pain.
>
> I started thinking about trying to manage permissions groups by level,
i.e.
> "marketing", "sales", "management", "HR" are all subgroups of "employees".
So
> if you allowed "employees" but denied "sales", someone who was in "sales",
> but also "management" would be allowed because they have a greater overall
> standing in the "employees" group... or something like that...
>
> Adrian
> _______________________________________________
> tfug mailing list
> tfug at tfug.org
> https://www.tfug.org/mailman/listinfo/tfug

More information about the tfug mailing list