[OpenAFS] Setting owner (as AFS user/group) on directories
Charles Karney
ckarney@sarnoff.com
Sat, 28 Jul 2001 23:07:56 -0400 (EDT)
> From: Jeffrey Hutzelman <jhutz@cmu.edu>
> Subject: Re: [OpenAFS] Setting the setacl on newly created volumes
> Date: Tue, 24 Jul 2001 01:34:49 -0400 (EDT)
>
> The owner of a directory appears as its UNIX owner, and has implicit 'a'
> rights on the directory. The owner of a volume is the same as the owner
> of its top-level directory, and has implicit 'a' rights on every directory
> in the volume.
> From: Derrick J Brashear <shadow@dementia.org>
> Date: Tue, 24 Jul 2001 01:40:50 -0400 (EDT)
>
> Note that you can set a negative owner in which case the pts group
> corresponding to that negative number will own the volume. Your OS may not
> let you do that unless you cheat, but nonetheless it is true.
Wow!! This is pretty powerful stuff and, given that it affects security in
a rather fundamental way, I'm rather surprised that the IBM AFS
documentation glosses over these issues.
This also brings up another point, namely that the OWNER field in
chown OWNER file
chown OWNER directory
mean completely different things. In the first case OWNER is a Unix user
and in the second case OWNER is an AFS user. Given also that
chown GROUP directory
means somthing useful, it would appear that there really needs to be a new
fs command to handle setting the ownership of a directory, such as
fs setowner -dir dir+ -user user
fs setowner -dir dir+ -group group
The -user and -group flags would both set the same "owner" field. (I
believe that the "group" field on an AFS directory is purely cosmetic.)
The advantages of "fs setowner" over "chown" are:
(1) it's clear that this is affects fundamental access rights;
(2) it's clear that user and group are interpreted as AFS entities;
(3) it allows you to set a negative owner ID to denote a group.
--
Charles Karney Email: ckarney@sarnoff.com
Sarnoff Corporation Phone: +1 609 734 2312
Princeton, NJ 08543-5300 Fax: +1 609 734 2586