[OpenAFS] ACL question

Tino Schwarze tino.schwarze@informatik.tu-chemnitz.de
Fri, 23 May 2003 10:40:06 +0200


On Fri, May 23, 2003 at 10:21:28AM +0200, jarausch@igpm.rwth-aachen.de wrote:

> I have a subdirectory where system:anyuser only has read rights. There
> are files in this directory which are readable and/or executable for
> group G.  Having not klog(ged in) I neither read nor execute a file in
> this directory although I am a member of this group G.

Without a token, you are system:anyuser, nothing more. Your Unix groups
are of no use for AFS ACL (remember: If I'm root on the client, I can
make any user belong to any group I want to.).

> There are no problems if I extend system:anyuser's rights
> to read+list
> 
> What have I missed and what's the sense of the read
> access right?

The sense is that you might want a user to see the files, but not read
them (neccessary if you want to give rights to subdirectories).
Therefore, you can have

dir           $user: l
|
+--- subdir   $user: rl

This is useful for home directories: I have directories PROTECTED and
PUBLIC. My home directory only has "l" for system:anyuser, PUBLIC has
"rl", PROTECTED has special rights for special people.

HTH! Tino.

-- 
             * LINUX - Where do you want to be tomorrow? *
                  http://www.tu-chemnitz.de/linux/tag/