[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: adding/subtracting permissions ??

To: hal@rain.org, spki@c2.net
Subject: Re: adding/subtracting permissions ??
From: Rich Salz <rsalz@osf.org>
Date: Tue, 8 Apr 1997 10:44:35 -0400 (EDT)
Sender: owner-spki@c2.net

>I don't think negative authorizations by themselves are necessarily a
>problem.

In and of themselves, they're okay.  I'd rather have, say, ten
"thou shalt not"'s than a zillion "you must's". :)  (Time to haul
out the old Mad Guide to the Ten Commandments.)

>However they do cause trouble in the context of the proposed
>merging algorithm, which was designed with positive authorizations
>in mind.

This is an understatement.  Look at NT ACL's.  While there is real appeal
in being able to say "can execute every program except /bin/su", the
general merge of positive and negative to come up with a permission
test becomes real nasty.  Perhaps limiting negative-auths to be a
qualifier on a real-auth makes sense.  But that's a composed-at-the-MUA
idea, which might be silly.
	/r$

Prev by Date: Adding/subtracting permissions
Next by Date: Re: Other *-forms for dates and times, and love
Prev by thread: Re: adding/subtracting permissions ??
Next by thread: Adding/subtracting permissions
Index(es):
- Main
- Thread