Re: ACLs, ACE and ls -e / chmod
Re: ACLs, ACE and ls -e / chmod
- Subject: Re: ACLs, ACE and ls -e / chmod
- From: Sachin Kumar <email@hidden>
- Date: Tue, 10 Feb 2009 11:09:20 +0530
----- Original Message -----
From: "James Peach" <email@hidden>
To: "John Michael Zorko" <email@hidden>
Cc: <email@hidden>
Sent: Friday, February 06, 2009 3:04 AM
Subject: Re: ACLs, ACE and ls -e / chmod
2009/2/5 John Michael Zorko <email@hidden>:
James,
Wow -- thanks for the info, it is appreciated. I have to do a Win32
implementation of this class (and possibly one for Linux, depending on how
close OSX is to it regarding ACLs), so that site will help.
Linux ACLs are completely different both structurally and in semantics.
Note that while Darwin ACLs are intended to conform to the Windows ACL
model, there are differences in behaviour, eg. Creator Owner isn't
rewritten. Feel free to file radars :)
I will also
need to eventually restore the ACLs back to a file, so thanks on the tip
of
making sure to preserve the correct order.
I've another question about ACLs and the acl_* APIs. If
acl_get_tag_type()
succeeds (returns 0), can acl_get_permset() fail? If acl_get_permset()
succeeds, can acl_get_perm_np() fail?
I think acl_get_perm_np will only fail if there are bits set in the
permset that are not defined by the kauth permission bits.
I guess the bigger question is, "Is
an ACL with an ACE with a tag type but no permset worth saving at all?"
I would say no, but seems harmless to save and restore them
An ACE contains an identity, a type and a set of permissions. This
means that a single ACE can allow OR deny more than one permission but
it can't allow AND deny.
"jmzorko deny write allow read allow execute" breaks down into 2 ACES:
jmzorko deny write
jmzorko allow read execute
Darwin ACLs follow the Windows ACL model pretty closely, so the
description of ACL structure here
<http://alt.pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsAnAccessControlList.html>
is quite applicable. Just substitute GUID where it says SID.
If you rewrite ACLs, remember to preserve the canonical ordering (see
chmod(1)) because there's no API in the system to do that for you.
Regards,
John
Falling You - exploring the beauty of voice and sound
http://www.fallingyou.com
--
James Peach | email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden