Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!ucsd!ucbvax!ICAEN.UIOWA.EDU!dbfunk
From: dbfunk@ICAEN.UIOWA.EDU (David B Funk)
Newsgroups: comp.sys.apollo
Subject: Re: How about using ACLs? versus Unix rights?
Message-ID: <9101101113.AA23133@icaen.uiowa.edu>
Date: 10 Jan 91 10:43:58 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: Iowa Computer Aided Engineering Network, University of Iowa
Lines: 35

In posting <1030@eba.eb.ele.tue.nl>, Willem Jan Withagen asks:

> I've got this directory /usr/local/include which has some extra ACL's
> appended. Now it funnctions as I expect it would, so there's nno problem
> there. 
> However the Unix righs do not really make sense. Why do they have rwx for
> the world whilest they do not have it? (:-)) 
> Now you can do chmod 775 to the directory, but then the extended mask gets
> reset to r-x. 

[stuff deleted showing an example ACL]

> Probably are there good reasons for this, but I don't understand them.
> Can anybody enlighten me?

  Yes, check out appendix A in the file "os.v.10.?__transition_guide".
You should be able to find it in the directory "/install/doc/apollo" where
the OS release notes are put by install. In particular, look at the part that
talks about the effect of a "chmod" on the extended ACL mask and the part that
explains the ACL search order (around pages A-5 to A-7).
  There is a version of this file included with each release of the OS,
such as os.v.10.1__transition_guide, os.v.10.2__transition_guide, etc.
The versions that came with sr10.2 and later are better than sr10.1 and older.

 The bottom line is when you use the extra power of the ACL, you are using more
protection information than can be presented by the "stat" Unix call. Therefore
the "stat" call must either UNDER present the real state of the world, or OVER
present it. Pre-sr10, Apollo chose the under-present philosophy (IE the old
what-they-don't-know-won't-hurt-them idea) but Apollo got lots of abuse for not
"telling-it-like-it-is". So at sr10, they changed to the over-present philosophy
and now you see the "funny" extra stuff in an "ls -l".
  There is a chapter (6) in the book "Domain/OS Design Principles" that
describes how this works and some of the decisions behind the implementation.

Dave Funk