[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What's in a group?
From: |
Michael D. Adams |
Subject: |
Re: What's in a group? |
Date: |
Sun, 19 Mar 2006 19:33:55 -0500 |
On 3/19/06, Marcus Brinkmann <address@hidden> wrote:
> At Sun, 19 Mar 2006 17:58:16 -0500,
> Thomas Schwinge <address@hidden> wrote:
> >
> > On Sun, Mar 19, 2006 at 11:17:48PM +0100, Marcus Brinkmann wrote:
> > > But what corresponds to the Unix group concept? I have identified two
> > > semantic uses for a "group":
> > >
> > > 1) Sharing information and authorization. Ie, allow communication
> > > among users of the same group.
> > >
> > > 2) Provide durable storage that is not associated with any particular
> > > member of the group.
> >
> > 3) Hindrance of the above.
> >
> > #v+
> > $ groups
> > users foo
> > $ ls -l /tmp/not-for-fooers
> > -rw----rw- 1 thomas foo 0 Mar 19 23:45 /tmp/not-for-fooers
> > $ cat /tmp/not-for-fooers
> > cat: /tmp/not-for-fooers: Permission denied
> > #v-
>
> I'm disgusted!
>
> > I don't know if there's a real-world example of this facility being used,
> > though.
>
> I sincerely hope there isn't. Otherwise it would rank very high in my
> list of horrible Unix idiosyncrasies.
>
> In a capability system, the right way not to share something is, uhm,
> not to share it, of course.
What if I have secret surprise party plans for John who works on 5th
floor and everyone on that floor is invited. Everyone in the
5th_floor group should be able to read them *except* for John. I
could make a group 5th_floor_except_john, but that would require a lot
of extra work. You would replace John with the consulting group that
is leaving.
As a side note, this very same problem appears in logic programming
(e.g. MiniKamren, Prolog). A "well designed" program should only be
making assertions about true relationships (e.g. John [is_father_of]
Mary, x [unifies_with] y), and never making assertions about false
relationships (e.g. x [! is_father_of] x, x [never_equals] y).
However, when the set of objects is unbounded this becomes difficult.
In particular, it is (almost?) impossible to write a correct lambda
calculus interpreter (in logic programming) without never_equals
(extra nonsense solutions appear if you don't use never_equals (e.g.
(((lambda (x) (lambda (x) x)) 1) 2)) results in both 2 (correct) and 1
(incorrect))). Bottom line is that we don't like negative assertions
(deny permissions) but sometimes they are necessary.
Just some thoughts,
Michael D. Adams
address@hidden