[OpenAFS-devel] Re: Methods of Restricting AFS3 ACL rights

Derek Atkins warlord@MIT.EDU
Sat, 16 Jan 2010 11:22:04 -0500


Adam Megacz <adam@megacz.com> writes:

> Andrew Deason <adeason@sinenomine.net> writes:
>> The explanation for the various methods now exists as an Internet
>> Draft, and can be found here:
>
> AFAIK, a volume is the unit of space management, while a directory is
> the unit of access management. [*]
>
> Solving the problem being discussed while retaining this distinction
> would involve:
>
>   1. Allowing transitive ACLs.  Semantically, a transitive positive
>      (negative) ACL has the same effect as if it were appended to the
>      list of positive (negative) ACLs of every subdirectory.
>
>   2. Allowing for complement principals.  Semantically, an ACL
>      mentioning the complement of a pts group applies to all users who
>      are not in that group.
>
> Then one can:
>
>   fs sa /afs/@cell/web/ !system:authuser a -negative -transitive
>
> That said, this is a huge amount of work to implement, and maybe even
> impossible to implement without creating incompatibilities.
>
> So perhaps
> a hack based on volume boundaries is the best compromise.

I don't think it would be possible to have a transitive acl across a
mountpoint boundary, because a volume can be mounted in multiple
locations.  However I think it would be possible to create a transitive
ACL *within* a volume.  But of course it would require clients that
understood the ACL to properly enforce it.

>   - a
>
> [*] The only two exceptions I know of are the "implicit ACL"
>     http://www.dementia.org/twiki/bin/view/AFSLore/UsageFAQ#2_21_What_meaning_do_the_owner_g
>     and the fact that you can't revoke "l" permissions from the "parent
>     directory" of the root directory of a volume.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available