[AFS3-std] Re: Methods of Restricting AFS3 ACL rights (correctness+performance)

Adam Megacz adam@megacz.com
Mon, 18 Jan 2010 06:03:20 +0000


Andrew Deason <adeason@sinenomine.net> writes:
>> If you are talking about my transitive ACLs proposal, then the new
>> foo/dir is still subject to the transitive acl on foo/.
>
> I said you put a transitive ACL on foo/dir.

Then do what I said one more level up.

The whole point is to put the transitive ACL at a point higher up in the
tree than the point where your users are able to make changes.

Here, let's be more concrete:

  fs sa /afs/@cell/web/ !system:authuser a -negative -transitive

Normal users cannot "mv /afs/@cell/web/ /afs/@cell/web/".  If they can,
you've got the ACLs on /afs/@cell/web/ set wrong.

  - a