[OpenAFS] odd behavior with IP ACLs

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 06 Dec 2006 18:52:02 -0500 

On Tuesday, December 05, 2006 03:11:05 AM -0500 Jeffrey Altman 
<jaltman@secure-endpoints.com> wrote:

> Kevin Sullivan wrote:
>> I'm seeing some odd behavior with IP acls and "li" permissions.  I have
>> a directory with permissions "li" for a pts group which contains several
>> IP addresses.
>>
>> I find that from clients running openafs in that pts group, I cannot see
>> the contents of files in that directory.  This is what I would expect.
>>
>> But from clients running arla in that pts group, I can read the contents
>> of the files.  I would think that the server shouldn't allow this no
>> matter what the client does, so I think that this is a server bug.
>>
>> The AFS servers are running OpenAFS 1.4.1 on NetBSD/i386;
>>
>> Can anyone else confirm this problem?  Has anyone seen it before?  Would
>> running 1.4.2 help?
>>
>> Thanks.
>>
>>     -Kevin
>
> How confident are you that the data was being delivered by the file
> server?
>
> Could the data have already been cached by the client using a different
> set of credentials?
>
> If you are confident that the data was indeed being sent by the file
> server, please send tcpdumps and file server logs showing the data
> delivery as part of a bug report to openafs-bugs@openafs.org.

No, Love is correct; this is not a bug.

If you have 'i' on a directory, you get implicit read access to the files 
you own (including any files you create).  If you are unauthenticated, then 
files you create are owned by the anonymous user, and you get implicit read 
access to all files owned by anonymous users.  IP-address ACL's and the 
host you are using have no relevance here; only the owner of the file 
matters.

The reason you are only seeing this with arla is because the OpenAFS client 
applies additional restrictions which are not enforced by the server, to 
provide the illusion of the dropbox-like behavior the permissions seem to 
imply.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA