DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:message-id:date:from:mime-version:to:subject
	:references:in-reply-to:content-type; q=dns; s=default; b=wz82P6
	kSvUL4tbtVVOBk5E88w1AmRDRlGHrczysbMIOp3CwnnCpWCNYDB/a+wauTeIpB9M
	xhFiJ2WmCgLpq9pijZMuwc+pYZTz1vqMGAzo1xuA2Ixp04CaS5TFmQifizswpP95
	EUX8te2HUj8Q/OPTMlzmIRY8oR1cjV5QVgvxc=
Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm
Sender: cygwin-owner@cygwin.com
Mail-Followup-To: cygwin@cygwin.com
Message-ID: <54DBBB52.8070002@redhat.com>
Date: Wed, 11 Feb 2015 13:28:02 -0700
From: Eric Blake <eblake@redhat.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: cygwin@cygwin.com
Subject: Re: group permissions
References: <54D7EB4E.6020105@towo.net> <20150209091445.GA10457@calimero.vinschen.de> <54D91687.8090301@towo.net> <20150210092122.GA15989@calimero.vinschen.de>
In-Reply-To: <20150210092122.GA15989@calimero.vinschen.de>
OpenPGP: url=http://people.redhat.com/eblake/eblake.gpg
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD"

--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 02/10/2015 02:21 AM, Corinna Vinschen wrote:
> o The other way to emulate writing an ACL_MASK entry would be to drop
>   permissions from all groups and secondary users so they match the
>   desired mask value.  This is secure, but in contrast to the other
>   solution it would change the secondary permissions permanently.
>   Changing the mask back would not change the permissions of the
>   secondary ACL entries back.

Possible enhancement on this idea (I have no clue if it would actually
work, though):

When rewriting ACE entries because of the just-added restrictive
ACL_MASK, put in some marker that mimics the default deny-all action,
then additional entries in the tail of the ACE list that shows the
pre-modified permissions that we just took away due to the mask.  If we
later loosen the mask, we can use the tail of entries to restore
original permissions.  And since the tail occurs after a catch-all deny,
they won't grant permissions in the meantime.  The trick then becomes
telling when we have stuck our marker in place to represent that we have
injected tail entries to reflect the state to restore if ACL_MASK is
relaxed.

>=20
> I'm open to discuss this further.  It needs implementing, of course.

Always the case, and sadly, my lack of experience in this topic is
showing through.

--=20
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org


--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Public key at http://people.redhat.com/eblake/eblake.gpg
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJU27tSAAoJEKeha0olJ0NquaMH/1Bl568b9DWbHsQ8SDWnqgIa
jvHC7LGSuEyymtmmPlkKjSMPybpJBUQlOd+ym3EwHHOd+AhFQ/A84q1YRsWm4q+b
wYAJXri6vFKHTxBjwUMx66SFWqlQlssu/3hyEMk3DRMetgeKS4jTDleDRu+N5Rq0
+3nQ5MYZuv24gZOTtjdFfh2wBX5sJTA/RyiALTRxEeYNlGGv7melSkhw2VVIdGIT
1H/Th5d0K63JRLIPwfh3zw59VPfEbX42tudNLnwZmZ2t/3ZISsgOBJQjdYdfTmAR
ZnTbMud3kgxWp24l9zudLN/QIzzN5/cerT1cf8P1kr3l/Xcct5egx7ReAJynpJg=
=rtH7
-----END PGP SIGNATURE-----

--vEkjtEXTnWrvtCjgpaAFNl0VVgKohA9aD--