[OpenAFS] ACLs not working on afs volumes! Help!

[matt cocker]

Derrick J Brashear wrote:
> On Thu, 19 Aug 2004, matt cocker wrote:
> 
>> Hi
>>
>> We are having a weird problem with some afs volumes in that if a user 
>> has had admin access to a volume and we remove admin access from the 
>> acl list for that user (or remove the user from the acl list 
>> completely) the user can just add themselves back. Is this intended 
>> behavior?
> 
> 
> does the user's pts id own the directory by uid?
> 

Yes

> or, for 1.3 series, do they own the top directory in the volume?
> 
> use chown as an admin and screw em good.
> 

Yes we noticed that just before you replied (sometimes it pays to read 
the manual everyday!).

If the volume mount point directory is owned by the users (i.e. the unix 
uid = pts uid) the user can add any acls they want regardless of what 
acls are set. If we make the directory owned by non user uid they can 
not. Unfortunately we needed to block some students web pages served out 
of homedir/public_html and tried to do it via acls. The problem is two 
fold in that we first noticed the problem on windows boxes and figured 
they knew nothing about unix security so the problem was something else. 
The second problem is that if I read you write we have to set the folder 
owner at the root of the volume, this would stop the users loggin into 
gdm which at the moment chack the user owns the homedirectory.

So why is it done like this? Doesn't make a lot of sense in a multiple 
platform environment (where a lot of users use windows) to have things 
outside the afs security tools determining permissions?


Cheers

Matt