[OpenAFS] odd behavior with IP ACLs
Wed, 06 Dec 2006 18:52:02 -0500
On Tuesday, December 05, 2006 03:11:05 AM -0500 Jeffrey Altman
> Kevin Sullivan wrote:
>> I'm seeing some odd behavior with IP acls and "li" permissions. I have
>> a directory with permissions "li" for a pts group which contains several
>> IP addresses.
>> I find that from clients running openafs in that pts group, I cannot see
>> the contents of files in that directory. This is what I would expect.
>> But from clients running arla in that pts group, I can read the contents
>> of the files. I would think that the server shouldn't allow this no
>> matter what the client does, so I think that this is a server bug.
>> The AFS servers are running OpenAFS 1.4.1 on NetBSD/i386;
>> Can anyone else confirm this problem? Has anyone seen it before? Would
>> running 1.4.2 help?
> How confident are you that the data was being delivered by the file
> Could the data have already been cached by the client using a different
> set of credentials?
> If you are confident that the data was indeed being sent by the file
> server, please send tcpdumps and file server logs showing the data
> delivery as part of a bug report to email@example.com.
No, Love is correct; this is not a bug.
If you have 'i' on a directory, you get implicit read access to the files
you own (including any files you create). If you are unauthenticated, then
files you create are owned by the anonymous user, and you get implicit read
access to all files owned by anonymous users. IP-address ACL's and the
host you are using have no relevance here; only the owner of the file
The reason you are only seeing this with arla is because the OpenAFS client
applies additional restrictions which are not enforced by the server, to
provide the illusion of the dropbox-like behavior the permissions seem to
-- Jeffrey T. Hutzelman (N3NHS) <firstname.lastname@example.org>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA