Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S264305AbTEPAeF (ORCPT ); Thu, 15 May 2003 20:34:05 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S264323AbTEPAeF (ORCPT ); Thu, 15 May 2003 20:34:05 -0400 Received: from windlord.Stanford.EDU ([171.64.19.147]:55696 "HELO windlord.stanford.edu") by vger.kernel.org with SMTP id S264305AbTEPAeD (ORCPT ); Thu, 15 May 2003 20:34:03 -0400 To: Garance A Drosihn Cc: Linus Torvalds , David Howells , linux-kernel@vger.kernel.org, , Subject: Re: [OpenAFS-devel] Re: Alternative to PAGs References: In-Reply-To: (Garance A Drosihn's message of "Thu, 15 May 2003 19:14:27 -0400") From: Russ Allbery Organization: The Eyrie Date: Thu, 15 May 2003 17:46:48 -0700 Message-ID: User-Agent: Gnus/5.090008 (Oort Gnus v0.08) XEmacs/21.4 (Portable Code, sparc-sun-solaris2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1377 Lines: 30 Garance A Drosihn writes: > What AFS does not want is for a single process to be drosehn@rpi.edu and > linus@rpi.edu at the exact same time. That is to avoid the question of > what open() should do on a file which is permitted: > drosehn rlidwka > linus none An even better example without an obvious answer (which in this case is that the open should be allowed, since that ACL says that drosehn should be able to open the file and says nothing about linus) would be if linus had negative rights (in other words, if the ACL actively asserted that linus should *not* be able to open the file regardless of the other ACLs). AFS supports the notion of negative rights primarily in combination with groups, so you can have a situation like: Normal rights: organization:itss rlidwka Negative rights: rra rlidwka where rra is a member of organization:itss. rra will be denied access to that directory despite the fact that his membership in organization:itss would normally give him full rights. -- Russ Allbery (rra@stanford.edu) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/