[OpenAFS] fs setacl and permissions

Juha Jäykkä juolja@utu.fi
Thu, 25 Jan 2007 19:38:06 +0200


--Sig_NdRNjMPHBCcbU.D966IiC2J
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> > as a member of system:adminstrators, do
> >=20
> > mkdir /afs/cell/dir
> > mkdir /afs/cell/dir/dir2
> > fs setacl /afs/cell/dir user all
> >=20
> > as user, do
> >=20
> > fs setacl /afs/cell/dir/dir2 anyone anything
> >=20
> > to get
> >=20
> > fs: You don't have the required access rights on ...
> This is the expected behaviour, ACLs are not inherited.

Is it? I definitely didn't expect it. ACLs are not inherited, but since
user here has full access to dir, why should user not be able to alter
things within the dir? If user has full administrative rights to dir,
then user should be able to do whatever one wants with dir/dir2. I
thought directories are nothing more but "table of contents" so if user
has permission alter the table of contents ("a"), why can user not alter
the table of contents (whether he can access a certain object mentioned
in the ToC)?

Why is this, anyway? To prevent the administrator of dir1 from
commandeering its subdirectories? The old trick with implicit rights and
chown was neat since on AFS there is no need to fear for your quota being
filled by other people giving you files (the most common reason, I think,
to disallow giving away files with chown).

> Well, user1 (or any user with "a"-rights) has to do the find.
> I mean, instead of relying on the implicit "a"-right, give some user=20
> explicit "a"-rights and teach them how to use find.

That seems to be the only way, then. It is quite ok, even, until the
directory tree is interspersed with directories with different "owners"
and all of them must be given a new owner. By "owner" I mean the users
with "a" in their ACL. In this case every owner of a directory in the
tree will have to do his own find and if things are very messy, dir1,
dir1/dir2 and dir1/dir2/dir3 all have different owners, in which case
even the order of the find's is relevant (and given some scenarios,
multiple finds per user are needed - for example if dir1 and dir3 are
owned by the same user, but dir2 is not).

Luckily it seems as if directory trees like the above are not very
common. We have, however some trees, where dir1 is owned by user1,
dir1/dir2a by user1, dir1/dir2b by user2 and dir1/dir2b/dir3 by user3.
These directories change owners frequently, but luckily for us, user1
always stays around for at least a year at a time so user1 can handle the
permissions - I assume.=20

Perhaps the way to go is groups, although this situation would dictate
groups with only a single member, but at least memberships can be given
and taken easily without admin interference. All other situations, groups
are easier anyway since there are multiple members per group.

-Juha

--=20
		 -----------------------------------------------
		| Juha J=C3=A4ykk=C3=A4, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

--Sig_NdRNjMPHBCcbU.D966IiC2J
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFuOsCSqzK5nsyX0kRAgVUAKCNrfopJ/wDl/BH3RLll91h6a4YCQCgnGbY
y/VeLkJvc86erZ/crWNHIj4=
=qCrn
-----END PGP SIGNATURE-----

--Sig_NdRNjMPHBCcbU.D966IiC2J--