[OpenAFS] ACLs and open-afs

Tom Reinhart rhino_tom@hotmail.com
Tue, 15 Oct 2002 21:02:34 -0700


>The problem of restricting access to files in directories with rl-rights =
>
>for system:anyuser could be solved by a different implementation in the=20
>fileserver: We did this for MR-AFS in the way that the mode-bits for=20
>"other" restrict the access for system:anyuser. The problem here is that =
>
>users have been told too long that the mode-bits for "group" and "other" =
>
>are worthless in AFS and they mostly ares set randomly. Therefore we=20
>require the fileserver to be started with an option "-modebits" in order =
>
>to enable this feature.
>
>This could easily be implemented in OpenAFS as well.


I'm reading this discussion with interest, especially after having posted 
essentially the same suggestion in another thread (See subject: "Hidden 
directories").  I think having more "unix-like" filesystem semantics would 
be a very good thing, at least as much as possible given the limitations of 
a networked filesystem.  I also agree that per-file ACLs are overkill in 
terms of the design of AFS, especially when the existing mode bits could be 
reused for much of the same purpose without any large architectural changes 
to AFS.  One thing I would point out about the way you are doing it, is that 
forcing the AFS admin to use a global flag to enable modebits probably would 
not be acceptable in large cells with tens of thousands of user, it would be 
an upgrade, not to mention educational nightmare.  A better way to enable 
this functionality would be for this to be a per-user profile flag.  Then, 
backwards compatibility with old AFS behaviorwould be the default, but users 
who are aware of and want this new functionality would execute a command to 
enable the modebits for directories they own.  Alternately, modebits could 
be enabled per-directory if that led to an easier implementation, although I 
think per-user would be more friendly.

Tom

_________________________________________________________________
Get a speedy connection with MSN Broadband.  Join now! 
http://resourcecenter.msn.com/access/plans/freeactivation.asp