[OpenAFS] Access rights on openafs

Christophe BERNARD Christophe.BERNARD@cmm.ensmp.fr
Fri, 13 Jun 2003 08:46:13 +0200 (CEST)


Hello.

I am using openafs (1.2.9/RH8.0) and I am very happy with it. I tried to
play a little with access rights, and noticed 2 strange things I would 
like to comment on:

1. The behaviour of openafs is somewhat different to what is
described in the doc:

  http://www.openafs.org/pages/doc/AdminGuide/auagd020.htm

Doc says: "If the first w mode bit is not set, no one (including the 
owner) can modify the file. "

Not true: I chmod'ed 400 a file, and both the owner and another user
(having afs "write" access to the directory) could change it with vim
(because renaming and deleting are still allowed for both I guess).

Is this normal openafs behaviour, or am I missing something?
 
2. Another issue that may be related to caching:

userA changes the ACL for a directory that has not been accessed for a
long time:

userA> fs sa dir userB l

userB tries to read the directory:

userB> ls dir
ls: tested/file1: Permission denied
ls: tested/file2: Permission denied
[...]

I guess ls (aliased to ls --color=tty) tries to read the files to guess
the type, because using an unaliased ls does not given an error.

But strangely, if userA now reads the directory

userA> ls dir

userB can then read the directory without error, which means that the read
access attempts that failed before are now accepted.

Did somebody else notice such behaviour? May this indicate a security hole 
related to caching in openafs?

Regards,

Christophe.
-- 
    Christophe BERNARD - Centre de Morphologie Mathématique
École des Mines de Paris - 35, rue Saint-Honoré - 77305 Fontainebleau cedex
           tél +33-1-64694775   - fax +33-1-64694707
        email bernard@cmm.ensmp.fr - http://cmm.ensmp.fr