[rsbac] ACLs / acl_grant Problem

Amon Ott ao at rsbac.org
Mon Jan 16 08:42:42 CET 2006

On Montag 16 Januar 2006 01:59, jochem_ippers at email.de wrote:
> when I try to change an acl nothing seems to happen; for example 
(existing file and existing user) when I do: 
> acl_grant -v -k -u jochem LOCK FD /tmp/hallo 
> Revoke rights: 
> for USER 1001
> Processing FD '/tmp/hallo'
> nothing changes (same with the -m option), LOCK right is still 
> acl_rights -u jochem FILE /tmp/hallo
> acl_rights: User 1001
> /tmp/hallo       
> I compiled rsbac version (rsbac-admin-tools for 
kernel 2.6.14. I tried different compile combinations, at the time I 
try a kernel with ACL as the only security module.

The rights this user has are inherited from the rights the group 0 
(everyone) has to :DEFAULT:, going down to this file via / and /tmp 
and through the file's inheritance mask. In Netware speech, :DEFAULT: 
would be the container which contains the whole filesystem.

To reduce these rights, you must set explicit rights for all users and 
groups, that shall have access, and then change the inheritance mask 
with acl_mask.

acl_grant changes the acl at the file itself - if there is no entry 
for the user, revoking with -k will change nothing. acl_tlist can 
show you all acl entries for this file.

http://www.rsbac.org - GnuPG: 2048g/5DEAAA30 2002-10-22

More information about the rsbac mailing list