Op za 31 jul. 2021 om 23:57 schreef ronnie sahlberg <ronniesahlberg@xxxxxxxxx>: > > > > > Example: > 1, S-1-2-ALICE ALLOW READ > 2, S-1-2-BOB ALLOW READ/WRITE > 3, S-1-2-EVERYBODY ALLOW READ/WRITE > 4, S-1-2-BOB DENY WRITE > > In this case, even though there are two ACEs that would grant BOB > WRITE access (the ACE for BOB and EVERYBODY), BOB is still denied > write access due to the presence of a DENY ACE for WRITE. > > In this case the ACEs are evaluated in the following order > 4, 1, 2, 3 Wow this will take a lot of time to process when listing a directory. After the readdir for every entry a lookup is done, for more details, and then this processing of a list has to be done. Is it really required to do this more than once? You mention looking first for the denies, and then the allow entries. But what happens if there no allow entries, then it will be denied I think. Is it something like iptables: there is a default policy which counts when no rule applies? If this is the case you do not have to do it twice: - if the policy is deny, you only have to look for allow rules - and vica versa if the policy is allow, you will have to look for deny rules Stef PS it is sophisticated, but (I read somewhere) no system administrator will use the fine grained rules, use defaults (which make them predictable).
