[OpenAFS-devel] RE: [AFS3-std] Re: "l" permissions are not actually weaker than
we're telling people
Buhrmaster, Gary
gtb@slac.stanford.edu
Mon, 18 Jan 2010 12:27:33 -0800
> I'm not sure if I'm misunderstanding you or Adam... because, yes it does
> mean that. You can access files in foo/bar/ if you have the rights on
> foo/bar/; the rights on foo/ do not come into play. Right?
Also remember that foo/bar/ *could* be a different volume
than foo/ (not in the example, but generically), and that
volume may be mounted in many other locations, with different
path permissions (or .../bar/ split into another volume at
some future point to manage space, allowing others to mount
it via different paths/permissions).
For "planning" purposes, plan that only the ACLs on the
lowest level matter. Do not depend on path ACLs to enforce
policy.
(This thread brings back memories of the "access by inode"
issue that some unix variants have offered, and the path
permissions discussions.)