Mark Shellenbaum wrote:
David Dyer-Bennet wrote:
On page 202 of the December 2008 Solaris ZFS Administration Guide, it
says
the ACLs are processed in order. Then it says that an explicit allow
ends
processing (or at least it says that a later deny can't override an
earlier allow).
But that's all it says; it doesn't really describe the interpretation
process completely. I certainly couldn't implement it from this! And I
can't figure out what my ACLs should mean from this.
In particular, does a matching deny entry also halt processing? Or does
processing continue, meaning that a later allow can override an earlier
deny?
An ACL is processed from top to bottom. A "deny" entry can't take
away an already granted "allow" nor can a "allow" take away an denied
"deny" entry.
For example:
[snip]
Once a bit has been denied only a privilege subsystem override can
give you that ability.
Thanks, that's what I guessed and what simple experiments seemed to
show, but.... Happy to have it confirmed. So the list is processed top
to bottom and the first definite answer is THE answer.
_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
