[AFS3-std] Re: "l" permissions are not actually weaker than we're
telling people
Andrew Deason
adeason@sinenomine.net
Mon, 18 Jan 2010 14:07:45 -0600
On Mon, 18 Jan 2010 14:32:56 -0500
Derrick Brashear <shadow@gmail.com> wrote:
> > Does this mean that if we have a setup like this:
> >
> > =A0 =A0mkdir foo
> > =A0 =A0fs sa foo system:anyuser rlidw
> > =A0 =A0mkdir foo/bar
> > =A0 =A0fs sa foo system:anyuser none
> >
> > That anonymous users can access "foo/bar/", so long as they know
> > the FID for "bar" -- either because the fourth command wasn't
> > executed immediately after the third, or else because they were
> > simply patient enough to guess it?
>=20
> Doesn't mean that in the slightest. Note that foo/bar/ is a directory
> and not actual data, but, the case is the same regardless.
> Permissions are enforced for every vnode. Look at
> Check_PermissionRights in afsfileprocs.c
I'm not sure if I'm misunderstanding you or Adam... because, yes it does
mean that. You can access files in foo/bar/ if you have the rights on
foo/bar/; the rights on foo/ do not come into play. Right?
So if you have rl on foo/bar/ but nothing on foo/, you can still read
files in foo/bar/ provided you know their FID.
--=20
Andrew Deason
adeason@sinenomine.net