[OpenAFS] ACLs not working on afs volumes! Help!

Hartmut Reuter reuter@rzg.mpg.de
Thu, 19 Aug 2004 09:27:56 +0200 

This is intended behaviour. It may be discussed whether it's really
a good idea, but the code in src/viced/afsfileprocs.c in the
routine Check_PermissionRights (line 835 ff) shows

                 if (CallingRoutine == CHK_STOREACL) {
                     if (!(rights & PRSFS_ADMINISTER)
                         && !VolumeOwner(client, targetptr))
                         return (EACCES);
                 } else {

That means if the client user is the owner of the volume (the owner of 
the volume's
root directory) he doesn't get EACCES.

-Hartmut

matt cocker wrote:
> Hi
> 
> We are having a weird problem with some afs volumes in that if a user 
> has had admin access to a volume and we remove admin access from the acl 
> list for that user (or remove the user from the acl list completely) the 
> user can just add themselves back. Is this intended behavior?
> 
> All our user volumes are prefixed with user. i.e user.username
> 
> We have tested other volumes but it only seems to be volumes the user 
> has had full access to.
> 
> The problem (same for linux and windows)
> 
> $ fs listacl /afs/ec.auckland.ac.nz/users/t/ctcoc006
> Access list for tcoc006 is
> 
> $ fs listacl /afs/.ec.auckland.ac.nz/users/t/c/tcoc006
> Access list for /afs/.ec.auckland.ac.nz/users/t/c/tcoc006 is
> 
> $ ls /afs/ec.auckland.ac.nz/users/t/ctcoc006
> ls: tcoc006: Permission denied
> 
> $ fs setacl -dir /afs/ec.auckland.ac.nz/users/t/c/tcoc006 -acl tcoc006 all
> 
> $ fs listacl /afs/.ec.auckland.ac.nz/users/t/c/tcoc006
> 
> Access list for /afs/.ec.auckland.ac.nz/users/t/c/tcoc006 is
> Normal rights:
>   tcoc006 rlidwka
> 
> $ fs listacl /afs/ec.auckland.ac.nz/users/t/c/tcoc006
> Access list for tcoc006 is
> Normal rights:
>   tcoc006 rlidwka
> 
> We are looking into other effected volumes but at the moment I just want 
> to know if we have miss understood how acls work but users can't even 
> view the acls of volume mount points that the don't have acl entries for 
> i.e.
> 
> 
> fs: You don't have the required access rights on 'tcle012'
> Access list for tcoc006 is
> 
> 
> Confused
> 
> Cheers
> 
> Matt
> 
> 
> 
> 
> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


-- 
-----------------------------------------------------------------
Hartmut Reuter                           e-mail reuter@rzg.mpg.de
					   phone +49-89-3299-1328
RZG (Rechenzentrum Garching)               fax   +49-89-3299-1301
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut fuer Plasmaphysik (IPP)
-----------------------------------------------------------------