Volker Lendecke wrote:
> Imagine you are member of group x and y. The current "attempt" is only based on
> group x as this is what you recently told the kernel. You have a file with
> owning group y and permissions 707, ie deny group y and allow others. Because
> the kernel is only aware of your membership in x, the access mask for "others"
> will apply. This is 7, so you will be allowed access. If by chance the last
> thing you told the kernel was your membership in y, then you would have been
> denied access.

And that's a big whacking bug of short-group-list Unix,
and one that will behave differently depending on
whether you have group y in your groups list.

[ The only good thing is that the usage of "deny"
ACLS is rare. The distribution on Multics was
something like
individual and group permit IACLs - 90%
individual permit ACLS - 9%
individual deny ACLS - 1/2%
everything else - 1/2%
An IACL is an "initial ACL", put at the top
of a directory tree for all files in the tree
to inherit.]
David Collier-Brown, | Always do right. This will gratify
Sun Microsystems, Toronto | some people and astonish the rest
davecb@canada.sun.com | -- Mark Twain