© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
Eric W. Biederman contributed this via email:
> The short answer is that if you want negative acls to work don't try and
> apply them to a user in /etc/subuid or /etc/subgid.
>
> To my knowledge there is not a good solution to this problem.
>
> As for setting setgroups to deny that is the default setting if you do
> nothing. Allow can't be set until the gid map is set. Plus there
> are some inheritence rules that ensure if your parent has deny set you
> always will have deny set.
>
> To date in my experience negative group acls are a theoretical construct
> that no one actually uses.
Given that there's no clear solution to this problem I'm going to make
this bug public, so others can know that subtracting permissions via group
membership isn't perfect.
Thanks