David Collier-Brown wrote:
> | If groups and wimpy Unix permission bits work now, why would you
> | need full NT ACLs? Would not ordinary POSIX ones suffice???

Gerald (Jerry) Carter wrote:

> Volker's saying that unless we go to userspace access
> checks using the full NT_USER_TOKEN (which is not limited
> by the OS), you are out of luck. If we went this way, we might as well
> make everything on the file system owned as root and store
> in the real NT ACL in EAs.

I was actually asking a different question...

Right now, we have unix permission bits for user,
group and other, for user, other and a list of groups.
And it works. We can represent most of the
access controls that NT does.

We certainly could use more capabilities: Volker's
"707" (negative ACL) and excessive-power-of-root
criticisms are valid, but they don't keep us from
supporting large NT and AD sites.

So what's wrong with an incremental improvement, from
permission bits and groups to ACLs which provide
little more than a fine-grained set of rwx permissions?

[The French have a proverb, "the best is often the enemy of the good"]
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb@canada.sun.com | -- Mark Twain