[OpenAFS-devel] are "l" permissions actually weaker than we're telling people?

Adam Megacz adam@megacz.com
Mon, 18 Jan 2010 19:26:01 +0000


Jeffrey Altman <jaltman@secure-endpoints.com> writes:
> One of the reasons for this approach is that file servers do not process
> paths when responding to the cache manager requests.

I was actually stunned by this when I read vnode.c/viced.c... apparently
RENAME is the only operation that walks to the root of the directory
hierarchy (because the fileserver must guard against cyclic directory
paths).  Surprising!

Does this mean that if we have a setup like this:

    mkdir foo
    fs sa foo system:anyuser rlidw
    mkdir foo/bar
    fs sa foo system:anyuser none

That anonymous users can access "foo/bar/", so long as they know the FID
for "bar" -- either because the fourth command wasn't executed
immediately after the third, or else because they were simply patient
enough to guess it?

That's something I think might be worth documenting as a security
concern (and plenty of other similar cases).

Thanks for your patience in clarifying my understanding of how all of
this works...  apologies if I can be a bit dense at times.  I'm trying
to understand why things work the way they do rather than just how they
work.

  - a