[OpenAFS] To read a file from a directory whose ACL is r-l
(read permission but no lookup permission)
Tue, 13 Sep 2005 12:37:36 -0400
On Tuesday, September 13, 2005 16:10:35 +0300 acemi <email@example.com>
> I want that users can't browse the directory's content (files list) but
> they can open/read a file if they know the name of the file. To do that I
> set r-l (read permission but no lookup permision) as ACL, but user can't
> read the file in this case.
> I googled to learn how I can do but I can't find a solution. Is there a
> way to do that?
No, you can't do that.
The 'l' permission grants the ability to read the directory and to do
lookups in it. The 'r' permission grants the ability to read the contents
of files in that directory. Since you need to do a directory lookup in
order to know the file's FID, you can't access a file without 'l' on the
directory containing it.
> If no, to hack some part of source code will be a solution? Which parts?
> is "viced/afsfileprocs.c" the file which I need to hack?
No. In AFS, directory lookups are done on the client. The client needs a
copy of the directory in order to do lookups, and once it has it, it can do
whatever it wants. You could distribute to your users a modified client
which prevented them from listing directories (or directories on which they
don't have a particular ACL bit, or whatever). But you can't prevent your
users from downloading and using an unmodified client to list the contents
of any directory in which they can do lookups.
Also, ignoring the snide comment about Windows, Frank Burkhardt is right.
If you want to control which users have access to which files, then put
them in directories with appropriate ACL's. Use symlinks if you have to.
A wise man once said, "Security through obscurity is worse than no security
-- Jeffrey T. Hutzelman (N3NHS) <firstname.lastname@example.org>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA