[OpenAFS] To read a file from a directory whose ACL is r-l (read permission but no lookup permission)

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 13 Sep 2005 12:37:36 -0400

On Tuesday, September 13, 2005 16:10:35 +0300 acemi <acemi@spymac.com> 

> Hello,
> I want that users can't browse the directory's content (files list) but
> they can open/read a file if they know the name of the file. To do that I
> set r-l (read permission but no lookup permision) as ACL, but user can't
> read the file in this case.
> I googled to learn how I can do but I can't find a solution. Is there a
> way to do that?

No, you can't do that.
The 'l' permission grants the ability to read the directory and to do 
lookups in it.  The 'r' permission grants the ability to read the contents 
of files in that directory.  Since you need to do a directory lookup in 
order to know the file's FID, you can't access a file without 'l' on the 
directory containing it.

> If no, to hack some part of source code will be a solution? Which parts?
> is "viced/afsfileprocs.c" the file which I need to hack?

No.  In AFS, directory lookups are done on the client.  The client needs a 
copy of the directory in order to do lookups, and once it has it, it can do 
whatever it wants.  You could distribute to your users a modified client 
which prevented them from listing directories (or directories on which they 
don't have a particular ACL bit, or whatever).  But you can't prevent your 
users from downloading and using an unmodified client to list the contents 
of any directory in which they can do lookups.

Also, ignoring the snide comment about Windows, Frank Burkhardt is right. 
If you want to control which users have access to which files, then put 
them in directories with appropriate ACL's.  Use symlinks if you have to.
A wise man once said, "Security through obscurity is worse than no security 
at all".

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA