[AFS3-std] Re: "l" permissions are not actually weaker than we're
telling people
Adam Megacz
adam@megacz.com
Wed, 20 Jan 2010 17:26:04 +0000
Derrick Brashear <shadow@gmail.com> writes:
> if there is somewhere we advertise that the permissions on a file are
> the intersection of the permissions granted by the ACLs on all
> directories above it in the volume, we should fix that. I am aware of
> no such claim being made. A reference to such would be appreciated.
Oh, not in general, but just for the "l" bit -- I got that impression in
the CMU beat-andrew-into-the-dumb-undergrads'-head-course (I forget the
real name).
Looking back, I guess none of the documentation actually flat-out says
that the "l" bit behaves transitively; I seem to have misread it as
having that effect (see below).
So, as a coda to the whole transitive-ACL thing, I was under the
impression that one of the bits already had transitive behavior; in that
situation, the option to let the others act transitively made a
reasonable amount of sense. But it appears I was mistaken, so adding
transitive behavior would actually be a massive (and therefore unwise)
change in behavior. Sorry for the noise!
- a
In the OpenAFS User Guide:
"The l (lookup) permission ... In particular, a user must have this
permission to access anything in the directory's subdirectories"
http://docs.openafs.org/UserGuide/ch04s02.html
On the AFSLore Wiki:
"l Permission to examine the ACL and traverse the directory"
http://www.dementia.org/twiki/bin/view/AFSLore/UsageFAQ#2_04_What_is_an_AFS_access_contr
Elsewhere on the interwebs:
"l for the right to list the names of files in the directory. You must
have at least the 'l' right on the parent directory to access a
subdirectory (even if you have full permissions on the
subdirectory)."
http://www.physics.umd.edu/pnce/user-docs/HowTos/afs-acls.html
(apparently you just need the FID of the subdirectory)