[AFS3-std] Re: Methods of Restricting AFS3 ACL rights
(correctness+performance)
Adam Megacz
adam@megacz.com
Mon, 18 Jan 2010 06:03:20 +0000
Andrew Deason <adeason@sinenomine.net> writes:
>> If you are talking about my transitive ACLs proposal, then the new
>> foo/dir is still subject to the transitive acl on foo/.
>
> I said you put a transitive ACL on foo/dir.
Then do what I said one more level up.
The whole point is to put the transitive ACL at a point higher up in the
tree than the point where your users are able to make changes.
Here, let's be more concrete:
fs sa /afs/@cell/web/ !system:authuser a -negative -transitive
Normal users cannot "mv /afs/@cell/web/ /afs/@cell/web/". If they can,
you've got the ACLs on /afs/@cell/web/ set wrong.
- a