[OpenAFS] anon FTP upload directory ACL
Charles Clancy
security@xauth.net
Sat, 1 Jun 2002 10:08:43 -0500 (CDT)
> My first guess of the incoming was/is
>
> [papadoc.pts/1]$ fs la /afs/bayour.com/public/ftp/incoming
> Access list for /afs/bayour.com/public/ftp/incoming is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rlidwk
> Negative rights:
> system:anyuser rd
Try just giving system:anyuser "iwk" rights. You probably don't even
need "k" rights. Add "l" if you want anonymous user to be able to see an
ls.
> The big problem is that if 'anonymous' uploads anything,
> I (as user 'turbo' with admin rights) can't delete this
> file!
See, the negative rights are overriding your access when you have a token.
Just don't use the negative rights.
I think it builds effective rights by first looking at the positive and
then negative rights. So, you have something like:
1. have token for admin
2. admin has rlidwka
3. admin matches system:anyuser so add in (redundant) rlidwk rights
4. my effective rights are now rlidwka, so apply negative rights
5. admin matches system:anyuser so subtract rd
6. new admin efective rights are liwka (list, insert, write, lock, admin)
[ t charles clancy ]-[ tclancy@uiuc.edu ]-[ uiuc.edu/~tclancy ]