On Tue, Mar 08, 2005 at 03:35:02PM +0100, Edgar, Bob wrote:
> If the kernel denies based upon an ACL (Unix side) then that's fine
> with me. That's what Samba is supposed to do, is it not? The
> user/group that the user "is" after authentication has just those
> rights that the OS grants. If the ACL denies for group X then we
> continue to try all the rest of the groups until either one succeeds
> or we run out of groups. There is no need to check the ACLs in user space.

Imagine you are member of group x and y. The current "attempt" is only based on
group x as this is what you recently told the kernel. You have a file with
owning group y and permissions 707, ie deny group y and allow others. Because
the kernel is only aware of your membership in x, the access mask for "others"
will apply. This is 7, so you will be allowed access. If by chance the last
thing you told the kernel was your membership in y, then you would have been
denied access.