This is the mail archive of the cygwin mailing list for the Cygwin project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On 02/10/2015 02:21 AM, Corinna Vinschen wrote: > o The other way to emulate writing an ACL_MASK entry would be to drop > permissions from all groups and secondary users so they match the > desired mask value. This is secure, but in contrast to the other > solution it would change the secondary permissions permanently. > Changing the mask back would not change the permissions of the > secondary ACL entries back. Possible enhancement on this idea (I have no clue if it would actually work, though): When rewriting ACE entries because of the just-added restrictive ACL_MASK, put in some marker that mimics the default deny-all action, then additional entries in the tail of the ACE list that shows the pre-modified permissions that we just took away due to the mask. If we later loosen the mask, we can use the tail of entries to restore original permissions. And since the tail occurs after a catch-all deny, they won't grant permissions in the meantime. The trick then becomes telling when we have stuck our marker in place to represent that we have injected tail entries to reflect the state to restore if ACL_MASK is relaxed. > > I'm open to discuss this further. It needs implementing, of course. Always the case, and sadly, my lack of experience in this topic is showing through. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |