Filemanager and ACL - bad usage

bbkc 2008-12-02 13:42:56 UTC #1

Hi,

I use a directory tree in filemanager, the root directory have rwxrwx— and the owner:root, group:root.

Then I put ACL for the users and their directories. But is not like a good acl, because if i had this directory tree:

ROOT- DEPARTMENTS - SCHOOLS - TEACHERS.

Then the theachers have the ACL in Theacers for write an read, but they can go to Teachers because have no acces to Departaments and school. And if i permit acces to departments, the acl give the read acl to every folder in departaments, and its a problem for then change all acl to NO ACCES for teachers of this school.

What is the right way? I change the foldrs to rwxrwxr-x but then anyone have acces to read everyfolder, and in ACL if i put NO ACCES to default group , the users can enter and the ACL failds, because permisions of folder are more restrictive i think

Oscar_Manuel_Gomez_S 2008-12-02 23:21:24 UTC #2

nothingg escribió:

Hi,

I use a directory tree in filemanager, the root directory have rwxrwx— and
the owner:root, group:root.

Then I put ACL for the users and their directories. But is not like a good
acl, because if i had this directory tree:

ROOT- DEPARTMENTS - SCHOOLS - TEACHERS.

Then the theachers have the ACL in Theacers for write an read, but they can
go to Teachers because have no acces to Departaments and school. And if i
permit acces to departments, the acl give the read acl to every folder in
departaments, and its a problem for then change all acl to NO ACCES for
teachers of this school.

What is the right way? I change the foldrs to rwxrwxr-x but then anyone have
acces to read everyfolder, and in ACL if i put NO ACCES to default group ,
the users can enter and the ACL failds, because permisions of folder are
more restrictive i think

Well, I might be wrong, but I’d say the tree would be:

\ -> Schools -> Departments -> Teachers (or switch these two last,
depending on specific organizations). Maybe both “Departments” and
"Teachers" should be right below “Schools”, at the same level of depth.

I didn’t test it with different logins, but the strategy would be
similar to the unix filesystem. For upper directories (i.e. “mostly
public readable”) I’d put read access (similar to /, /etc or /var).
Then, when going down, I’d start giving write permissions (you can give
specific ownerships) or explicit deny permissions through the extended
ACL (taking that you’re using 1.6).

I understand that this should work. However, if you have tested
something similar and you mean something like “the extended ACL system
is being ignored or not working as expected” then a big bug would be
taking place. I can test this from tomorrow on, but surely Ralf or
somebody else can put some light into this.

Regards.

----------------------------------------------------------------------|
http://counter.li.org info: Linux user: 92390 - Linux machine: 39301 |
Oscar Manuel Gómez Senovilla - omgsATescomposlinux.org |
GPG Key at http://keyserver.pgp.com |
----------------------------------------------------------------------|

This SF.Net email is sponsored by the Moblin Your Move Developer’s challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

eGroupWare-developers mailing list
eGroupWare-developers@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/egroupware-developers