[cvsnt] Re: chacl problem configuring access to individual files

Oliver Koltermann okoltermann_deletethis_ at gmx.de
Tue May 2 10:28:18 BST 2006


Gerhard Fiedler <lists at connectionbrazil.com> writes:

> Oliver Koltermann wrote:
> 
> > If I remember correctly, the normal way it is interpreted on *nix is,
> > that directory write gives the right to create/modify the directory
> > entries, e.g. adding new files. The access of existing files is
> > determined by the files permission. There is no specific-to-general
> > relation as you assumed.
> 
> I kind of disagree with the last sentence. If you have the right to create
> new files in a directory (that is, write permission for the directory), you
> by inheritance have the right to write to the files in that directory --
> unless there is a more specific permission set on a file that prohibits you
> from writing (or vice versa). I think that's the same on *ix and WinNT type
> systems. That's the specific-to-general rule I was talking about.

You are right, I'm sorry about the incorrectness of my
post. Unfortunately I posted *before* looking into the manual
again... (see later posting)
 
[...folder/file read, write, execute permissions...]

> Yes, and IMO it shows that this concept of changing the meaning of a
> permission depending on whether it's on a folder or on a file (like both
> *ix and Win do it) doesn't work well. I never liked that.

I agree that it's a bad sign for a clear concept that it needs a lot
of explantation and background to understand.

> I think the meaning of a permission should be independent of whether it is
> applied to a folder or to a file, and it should affect what it is supposed
> to affect independently of where it is applied to. Where it is applied to
> should only affect its propagation: applied to a folder means that it is
> propagated (by default) to files and folders in that folder; applied to a
> file means that it is only applied to that file.
> 
> For example, there could be a "write" permission that allows writing to
> files. There could be an "add files" permission that allows adding files.
> The propagation rules would be the same for both; both can be applied to
> files and folders. (Of course, the "add files" permission on a file doesn't
> give you anything, as you can't add files to a file.) And their meaning
> wouldn't change when applied to a file vs. to a folder, only their way of
> propagating: having the "write" permission on a folder would only mean that
> I have the "write" permission for the files under that folder, not that I
> have the "add files" permission for that folder.

This sounds reasonable, but I can't oversee all aspects of this
problem to fill in this discussion. I understand that CVSNT's
permission concept was designed to go in the same direction as *ix and
NT's one to be useable without learning new rules.

Best regards,
O. Koltermann



More information about the cvsnt mailing list