[OpenAFS-devel] Re: Methods of Restricting AFS3 ACL rights (correctness+performance)

Russ Allbery rra@stanford.edu
Mon, 18 Jan 2010 12:49:49 -0800


Adam Megacz <adam@megacz.com> writes:
> Jeffrey Altman <jaltman@secure-endpoints.com> writes:

>> If you want to apply a different policy to a sub tree within the volume
>> user.foo, then you would split the volume at the directory where you
>> want the new policy to take effect and apply the policy to the new
>> volume.

> Then what you really meant was "it's not terribly useful to superusers
> unless you always use it at the volume root".

> I can agree with that statement.

I believe it's more than not terribly useful.  I believe it actually
doesn't work if applied to arbitrary directories due to the way the AFS
wire protocol works and the way the file server thinks about objects.

What volume a given file is included in is something that stays consistent
in AFS.  The *data* can be moved between volumes, but the file isn't.  To
move a file to another volume, you're actually deleting the old one and
creating a new one.  To some extent this is also true of what directory a
file is contained in, due to disallowing cross-directory hardlinks and
whatnot.  But what directory *tree* a file is part of is ill-defined and
could be changing dynamically during the operation because someone is
moving directories around.  Ascending a directory tree is an ill-defined
operation.

This is generally true in UNIX file systems as well, by the way.  It's not
particularly difficult to confuse getcwd(), which is the same algorithm
that would be required to determine transitive ACLs at a directory level.
I do it all the time by accident.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>