[OpenAFS] ACLs and open-afs
Brent Johnson
Brent.A.Johnson@jpl.nasa.gov
Thu, 10 Oct 2002 17:42:54 -0700
Jim,
Jim Rees wrote:
> Actually it has turned out to be a blessing. There are very few situations
> where in AFS you need to have an ACL on a file.
>
>Allow me to vehemently disagree. Lack of file acls is one of the greatest
>misfeatures of afs.
>
>Take a look at your home directory for an example. Lots of little tiny
>files and directories, some of which must be world readable, some of which
>must not. My own home dir is a nightmare of symlinks. Same thing for
>~/.ssh. And not having a separate "initial file acl" on directories means
>if I want my home directory readable (so I can login without tokens) I run
>the risk of having files like .Xauthority pop up, world readable, opening a
>huge security hole.
>
Just for my info, why is this a huge security hole?
-Brent
>
>DCE got a few things right, and this is one of them.
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Brent A. Johnson
JPL File Services Engineer
Jet Propulsion Laboratory
Telephone: 4-2138 or 818-354-2138 Pager: 1-800-759-8888 PIN=1256866