[cvsnt] Re: chacl problem configuring access to individual files

Gerhard Fiedler lists at connectionbrazil.com
Fri Apr 28 16:00:32 BST 2006


Oliver Koltermann wrote:

>> I'd expect a more specific setting to override a more general setting, so
>> giving write access to a specific file should IMO override the missing
>> write access on the directory. 
>> 
>> What would be the rationale for the write access on the file being
>> overridden by the missing write access on the directory? In that case, what
>> would be the purpose of being able to grant write access to a file?
> 
> If I remember correctly, the normal way it is interpreted on *nix is,
> that directory write gives the right to create/modify the directory
> entries, e.g. adding new files. The access of existing files is
> determined by the files permission. There is no specific-to-general
> relation as you assumed.

I kind of disagree with the last sentence. If you have the right to create
new files in a directory (that is, write permission for the directory), you
by inheritance have the right to write to the files in that directory --
unless there is a more specific permission set on a file that prohibits you
from writing (or vice versa). I think that's the same on *ix and WinNT type
systems. That's the specific-to-general rule I was talking about.


> For example if a user has no directory read access, he is not able to
> list the contents of the directory. But if he knows the name of a file
> in this directory with read access right for him, he can access this
> file. 

Not sure about *ix, but on WinNT, you need to have the "traverse folder"
permission to be able to traverse it, just the read permission won't do it.
(On the file side, the "traverse folder" permission would be then the
"execute file" permission.)


> I hope this makes the concept clear. 

Yes, and IMO it shows that this concept of changing the meaning of a
permission depending on whether it's on a folder or on a file (like both
*ix and Win do it) doesn't work well. I never liked that.

I think the meaning of a permission should be independent of whether it is
applied to a folder or to a file, and it should affect what it is supposed
to affect independently of where it is applied to. Where it is applied to
should only affect its propagation: applied to a folder means that it is
propagated (by default) to files and folders in that folder; applied to a
file means that it is only applied to that file.

For example, there could be a "write" permission that allows writing to
files. There could be an "add files" permission that allows adding files.
The propagation rules would be the same for both; both can be applied to
files and folders. (Of course, the "add files" permission on a file doesn't
give you anything, as you can't add files to a file.) And their meaning
wouldn't change when applied to a file vs. to a folder, only their way of
propagating: having the "write" permission on a folder would only mean that
I have the "write" permission for the files under that folder, not that I
have the "add files" permission for that folder.

Gerhard



More information about the cvsnt mailing list