[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: adding/subtracting permissions ??
>I don't think negative authorizations by themselves are necessarily a
>problem.
In and of themselves, they're okay. I'd rather have, say, ten
"thou shalt not"'s than a zillion "you must's". :) (Time to haul
out the old Mad Guide to the Ten Commandments.)
>However they do cause trouble in the context of the proposed
>merging algorithm, which was designed with positive authorizations
>in mind.
This is an understatement. Look at NT ACL's. While there is real appeal
in being able to say "can execute every program except /bin/su", the
general merge of positive and negative to come up with a permission
test becomes real nasty. Perhaps limiting negative-auths to be a
qualifier on a real-auth makes sense. But that's a composed-at-the-MUA
idea, which might be silly.
/r$