[OpenAFS] adding a group to a group?

Dexter Kimball dhk@ccre.com
Tue, 8 Mar 2005 08:45:50 -0700


>=20
> First, thx for that long explanation. It helps me a lot right here :-)
>=20

Nice to hear -- thanks.

WRT your question:
> But if there are no permissions for the system:anyuser users=20
> on the fresh mounted volume (and nor on the "upper" mounts of that=20
> volume), do I also have to set system:anyuser none to explicit forbid
them?

Setting "/a/b/c <group | user > none" removes the specified group or =
user
from the ACL.

If system:anyuser is not on the ACL there's no need to remove them (bet =
you
already figured that out :)

So no, if system:anyuser isn't already on the ACL there's no need to =
issue
"fs sa <dir> system:anyuser none"

I was thinking that "system:anyuser" might already be in place on some =
of
your ACLs.

I'm not sure what you intend when you mention "upper mounts" ??

Kim














> Dexter Kimball schrieb:
> | Oops.
> |
> | Omit the comment about "no current support for groups=20
> within groups" for
> | OpenAFS.  Had my Transarc hat on.  There is a compile-time=20
> argument for
> | supergroups for OpenAFS.  My bad.  (My bad memory :)
> |
> | I'm not entirely sure why you want a group that contains=20
> all users and all
> | IP groups, unless the distinction between "all users in=20
> this PT group" and
> | "all users authenticated in my cell" is somehow critical to=20
> you -- which
> | does happen if there are some users in your cell who do=20
> have accounts but
> | who must be restricted from the "MyCell/system:authuser"=20
> groups.  If not,
> | why maintain a "all users in my cell" group?  Perhaps I=20
> missed something
> | earlier in the thread.
>=20
> There was a misunderstanding on my side for system:authuser.=20
> So you helped me on
> the right way.
> On the note of the mail before, you wrote I have to set=20
> system:anyuser none on
> every node of every volume.
> But if there are no permissions for the system:anyuser users=20
> on the fresh
> mounted volume (and nor on the "upper" mounts of that=20
> volume), do I also have to
> set system:anyuser none to explicit forbid them?
> E.G.: tree /a/b/c only for group bla permissions write. I=20
> mount /a/b/c/d with
> group bla write permissions in it. Without setting=20
> system:anyuser none, members
> of bla could set a link readable for system:anyuser?
> And if i set fs setacl /a/b/c/d system:anyuser none, that=20
> setting by the members
> of bla is prohibited?
>=20
>=20
> | Kim
>=20
> Thx so far
> Lars
> - --
> - -----------------------------------------------------------------
> Technische Universit=E4t Braunschweig, Institut f=FCr Computergraphik
> Tel.: +49 531 391-2109            E-Mail: schimmer@cg.cs.tu-bs.de
> PGP-Key-ID: 0xB87A0E03
>=20
>=20
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>=20
> iD8DBQFCLbTQVguzrLh6DgMRAogAAJwI3ZE/jw3GpTzDajo8CZJeE0okjwCdGMST
> okNq1veSWuAFRMCDY3N50rE=3D
> =3DuRa2
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20