I am unhappy with the way that VAS resolves conflicts between the users.allow and users.deny files (and between <service>.allow and <service>.deny, where "per service access control" is used) when one of the files contains a user explicitly, and the other contains a group of which the user is a member.
The current rules are described at
The table says that, if a user is explicitly in users.allow, but is also in a group that is in users.deny, then access is ALLOWED (presumably on the principle that the explicit user specification is "more specific").
This goes against basic security principles. A security product should "fail secure". If there is a conflict between allowing or denying access, access should always be denied. regardless of whether the denial is being specified directly, or via membership of a group.
I would like the behaviour of the product to be changed. I recognise that this might cause things to break that rely on the current behaviour. This could be handled by proving a configuration option that controls whether the old or the new behaviour is used.
