[OpenAFS-devel] Re: [AFS3-std] Re: "l" permissions are not actually weaker than we're
telling people
Derrick Brashear
shadow@gmail.com
Mon, 18 Jan 2010 15:11:25 -0500
On Mon, Jan 18, 2010 at 3:07 PM, Andrew Deason <adeason@sinenomine.net> wro=
te:
> On Mon, 18 Jan 2010 14:32:56 -0500
> Derrick Brashear <shadow@gmail.com> wrote:
>
>> > Does this mean that if we have a setup like this:
>> >
>> > =A0 =A0mkdir foo
>> > =A0 =A0fs sa foo system:anyuser rlidw
>> > =A0 =A0mkdir foo/bar
>> > =A0 =A0fs sa foo system:anyuser none
>> >
>> > That anonymous users can access "foo/bar/", so long as they know
>> > the FID for "bar" -- either because the fourth command wasn't
>> > executed immediately after the third, or else because they were
>> > simply patient enough to guess it?
>>
>> Doesn't mean that in the slightest. Note that foo/bar/ is a directory
>> and not actual data, but, the case is the same regardless.
>> Permissions are enforced for every vnode. Look at
>> Check_PermissionRights in afsfileprocs.c
>
> I'm not sure if I'm misunderstanding you or Adam... because, yes it does
> mean that. You can access files in foo/bar/ if you have the rights on
> foo/bar/; the rights on foo/ do not come into play. Right?
Correct.
If you're bored, you can read every FID you can read. Just read them
one at a time, starting with 1.
Don't want to let someone read something? There are these ACLs.... set them=
.