I'm still not totally happy with the "allow by default" semantics of the system.conf file. As is stated in the configuration file comment: ``` Any user or group NOT matched by an allow or a deny will be ALLOWED to perform the action by default ``` This is usually a bad idea. We do have the "user: * deny: *" line at the end of the configuration file. But if either an administrator mistypes something in the configuration file, or the file processing logic is messed up again in the code, we might open up the tool to more users than intended.