[AFS3-std] Re: Methods of Restricting AFS3 ACL rights
(correctness+performance)
Andrew Deason
adeason@sinenomine.net
Mon, 18 Jan 2010 00:41:25 -0600
On Mon, 18 Jan 2010 06:03:20 +0000
Adam Megacz <adam@megacz.com> wrote:
>
> Andrew Deason <adeason@sinenomine.net> writes:
> >> If you are talking about my transitive ACLs proposal, then the new
> >> foo/dir is still subject to the transitive acl on foo/.
> >
> > I said you put a transitive ACL on foo/dir.
>
> Then do what I said one more level up.
Yes, so then it's not terribly useful, unless you always use it at the
volume root. Hence, volume-level ACLs.
> Here, let's be more concrete:
>
> fs sa /afs/@cell/web/ !system:authuser a -negative -transitive
>
> Normal users cannot "mv /afs/@cell/web/ /afs/@cell/web/". If they
> can, you've got the ACLs on /afs/@cell/web/ set wrong.
I would also hope you don't have your entire web tree (including user
personal webspace) all contained in one volume... you need to mark the
policy restrictions on the volumes mounted in the web tree anyway.
--
Andrew Deason
adeason@sinenomine.net