[Date Prev][Date Next]
Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]
the interpretation is quite simple.
It goes from top to bottom and stops at the first match
On Wednesday 09 January 2002 13:28, you wrote:
> access to dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
Anybody has write access to anything below o=PGP Keys,dc=atrete,dc=ch
> access to dn=".*,dc=atrete,dc=ch" by * write
Anybody has write access to anything below dc=atrete,dc=ch
> access to dn=".*,dc=ch" by * read
Anybody has read access to anything below dc=atrete,dc=ch
But remember: anything below dc=atrete,dc=ch is writable
because of the "stop at first match" rule.
> access to * by * write
Anybody has write access to anything else
IMHO the first line is not necessary, since it should be covered
by the second line.
1 A very big part of your directory is writable by anybody
[This is very funny if you use your directory to publish
PGP keys, since anybody can publish faked PGP keys.]
2 If you only have entries below dc=atrete,dc=ch in your directory,
the only entry that is read-only is the entry dc=atrete,dc=ch.
3 If you have entries below dc=ch in your directory that are not below
cd=atrete,dc=ch, they are all read-only
Peter Marschall | eMail: email@example.com
Scheffelstraße 15 | firstname.lastname@example.org
97072 Würzburg | Tel: 0931/14721
PGP: D7 FF 20 FE E6 6B 31 74 D1 10 88 E0 3C FE 28 35