[OpenAFS-devel] Re: Methods of Restricting AFS3 ACL rights
Derek Atkins
warlord@MIT.EDU
Sat, 16 Jan 2010 11:22:04 -0500
Adam Megacz <adam@megacz.com> writes:
> Andrew Deason <adeason@sinenomine.net> writes:
>> The explanation for the various methods now exists as an Internet
>> Draft, and can be found here:
>
> AFAIK, a volume is the unit of space management, while a directory is
> the unit of access management. [*]
>
> Solving the problem being discussed while retaining this distinction
> would involve:
>
> 1. Allowing transitive ACLs. Semantically, a transitive positive
> (negative) ACL has the same effect as if it were appended to the
> list of positive (negative) ACLs of every subdirectory.
>
> 2. Allowing for complement principals. Semantically, an ACL
> mentioning the complement of a pts group applies to all users who
> are not in that group.
>
> Then one can:
>
> fs sa /afs/@cell/web/ !system:authuser a -negative -transitive
>
> That said, this is a huge amount of work to implement, and maybe even
> impossible to implement without creating incompatibilities.
>
> So perhaps
> a hack based on volume boundaries is the best compromise.
I don't think it would be possible to have a transitive acl across a
mountpoint boundary, because a volume can be mounted in multiple
locations. However I think it would be possible to create a transitive
ACL *within* a volume. But of course it would require clients that
understood the ACL to properly enforce it.
> - a
>
> [*] The only two exceptions I know of are the "implicit ACL"
> http://www.dementia.org/twiki/bin/view/AFSLore/UsageFAQ#2_21_What_meaning_do_the_owner_g
> and the fact that you can't revoke "l" permissions from the "parent
> directory" of the root directory of a volume.
-derek
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available