l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: What's in a group?

From: Michael D. Adams
Subject: Re: What's in a group?
Date: Sun, 19 Mar 2006 19:33:55 -0500 
On 3/19/06, Marcus Brinkmann <address@hidden> wrote:
> At Sun, 19 Mar 2006 17:58:16 -0500,
> Thomas Schwinge <address@hidden> wrote:
> >
> > On Sun, Mar 19, 2006 at 11:17:48PM +0100, Marcus Brinkmann wrote:
> > > But what corresponds to the Unix group concept?  I have identified two
> > > semantic uses for a "group":
> > >
> > > 1) Sharing information and authorization.  Ie, allow communication
> > >    among users of the same group.
> > >
> > > 2) Provide durable storage that is not associated with any particular
> > >    member of the group.
> >
> > 3) Hindrance of the above.
> >
> > #v+
> > $ groups
> > users foo
> > $ ls -l /tmp/not-for-fooers
> > -rw----rw- 1 thomas foo 0 Mar 19 23:45 /tmp/not-for-fooers
> > $ cat /tmp/not-for-fooers
> > cat: /tmp/not-for-fooers: Permission denied
> > #v-
>
> I'm disgusted!
>
> > I don't know if there's a real-world example of this facility being used,
> > though.
>
> I sincerely hope there isn't.  Otherwise it would rank very high in my
> list of horrible Unix idiosyncrasies.
>
> In a capability system, the right way not to share something is, uhm,
> not to share it, of course.

What if I have secret surprise party plans for John who works on 5th
floor and everyone on that floor is invited.  Everyone in the
5th_floor group should be able to read them *except* for John.  I
could make a group 5th_floor_except_john, but that would require a lot
of extra work.  You would replace John with the consulting group that
is leaving.

As a side note, this very same problem appears in logic programming
(e.g. MiniKamren, Prolog).  A "well designed" program should only be
making assertions about true relationships (e.g. John [is_father_of]
Mary, x [unifies_with] y), and never making assertions about false
relationships (e.g. x [! is_father_of] x, x [never_equals] y). 
However, when the set of objects is unbounded this becomes difficult. 
In particular, it is (almost?) impossible to write a correct lambda
calculus interpreter (in logic programming) without never_equals
(extra nonsense solutions appear if you don't use never_equals (e.g.
(((lambda (x) (lambda (x) x)) 1) 2)) results in both 2 (correct) and 1
(incorrect))).  Bottom line is that we don't like negative assertions
(deny permissions) but sometimes they are necessary.

Just some thoughts,
Michael D. Adams
address@hidden
reply via email to
[Prev in Thread] Current Thread [Next in Thread]