Path: utzoo!attcan!uunet!lll-winken!lll-tis!ames!pasteur!ucbvax!DRACO.HAC.COM!MNK
From: MNK@DRACO.HAC.COM (Michael N. Kimura)
Newsgroups: comp.os.vms
Subject: Re: ACL Behavior
Message-ID: <880721122256.24C04A9C271@draco.HAC.COM>
Date: 21 Jul 88 19:22:56 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 37

> I just heard a disturbing rumor.  If true, it explains why a lot of people
> are confused about WHEN an ACL is checked.
> 
> The rumor is that if you have an ACE that reads:
> 
>             (Identifier=Something,Access=None)
> 
> That the NONE qualifier does NOT mean "deny access", it merely instructs 
> the filesystem to stop processing the ACL, and proceed on to check the
> file protection mask.

	[incorrect information deleted]

> Can anyone confirm or deny the rumor that "Access=None" does not mean 
> "DENY access"?

This  NOT  true.  If you deny access to an object (file) by indentifier than
anyone possesing that identifier is  indeed  denied  access  to  the  object
(file)  no  matter what the file protection mask is.  The only exceptions to
this are:

	1) You are the owner of the file then
		the owner field is used
	2) You are in the same group and you have GRPPRV privilege then
		the system field of protection mask is used.
	3) You have SYSPRV privilege or your UIC is a SYSTEM UIC then
 		the system field of protection mask is used.
	4) You have BYPASS privilege then access is ALWAYS granted.
	5) You have READALL privilege and the access is READ or CONTROL.

See  figure  4-4  "Flowchart  of  Access  Request  Evaluation" on pages 4-45
through 4-48 of the Guide to VAX/VMS System Security.

Michael Kimura

Arpanet:	mnk%draco@hac2arpa.hac.com
BITNET:		mnk.draco.hac.com
Phone:		(213) 615-9775