[OpenAFS] ACL for single files

[Mike Fedyk]

Hartmut Reuter wrote:

> Sensei wrote:
>
>> Hi.
>>
>> I have a question about ACLs: is it possible to set ACLs for a file in a
>> directory? The problem is this: in the home directory .bashrc contains
>> the call to aklog, but it's not readable by anyone since the home dir is
>> readable only by the owner. AKlog has to be called, so I'd like to have
>> that system:anyuser rl for .bashrc, but not for the entire directory.
>
>
> In our MR-AFS fileservers we have an optional switch on volume basis
> which allows to use the modebits for other to control the access of
> unauthenticated users (system:anyuser). This certainly could be 
> implemented
> easily in OpenAFS fileservers as well.
>
> We didn't set this flag automatically for all user volumes because it 
> narrows
> the access: If someone has given read access on the root directory of
> his home volume to system:anyuser  then after switching this feature 
> on only
> files with the the other-read-bit on remain accessable. So it requires 
> some
> new unusual attention of the users. 

I like this.

It will greatly ease transitions from installations that already only 
use the standard UGO octal unix permissions.  Adhering to setting the 
same group as parent with the SGID bit set on directories would be 
needed also.