[OpenAFS-devel] Re: [AFS3-std] Re: "l" permissions are not actually weaker than we're telling people

[Adam Megacz]

Derrick Brashear <shadow@gmail.com> writes:
> if there is somewhere we advertise that the permissions on a file are
> the intersection of the permissions granted by the ACLs on all
> directories above it in the volume, we should fix that. I am aware of
> no such claim being made. A reference to such would be appreciated.

Oh, not in general, but just for the "l" bit -- I got that impression in
the CMU beat-andrew-into-the-dumb-undergrads'-head-course (I forget the
real name).

Looking back, I guess none of the documentation actually flat-out says
that the "l" bit behaves transitively; I seem to have misread it as
having that effect (see below).

So, as a coda to the whole transitive-ACL thing, I was under the
impression that one of the bits already had transitive behavior; in that
situation, the option to let the others act transitively made a
reasonable amount of sense.  But it appears I was mistaken, so adding
transitive behavior would actually be a massive (and therefore unwise)
change in behavior.  Sorry for the noise!

  - a


In the OpenAFS User Guide:

  "The l (lookup) permission ... In particular, a user must have this
   permission to access anything in the directory's subdirectories"

   http://docs.openafs.org/UserGuide/ch04s02.html

On the AFSLore Wiki:

  "l Permission to examine the ACL and traverse the directory"

  http://www.dementia.org/twiki/bin/view/AFSLore/UsageFAQ#2_04_What_is_an_AFS_access_contr

Elsewhere on the interwebs:

  "l for the right to list the names of files in the directory. You must
   have at least the 'l' right on the parent directory to access a
   subdirectory (even if you have full permissions on the
   subdirectory)."

  http://www.physics.umd.edu/pnce/user-docs/HowTos/afs-acls.html

  (apparently you just need the FID of the subdirectory)