[OpenAFS] Re: fs setacl and permissions

Juha Jäykkä juolja@utu.fi
Sun, 28 Jan 2007 01:10:11 +0200


--Sig_.JykqoIxnulVfu1SZtOaWg4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

> So what it really comes down to is this: I claim that, if someone who
> "owns" a directory (i.e. has "explicit" a privs) defines a subdirectory
> and restricts someone else to non-a privs there, it is really a
> security breach for that someone else to be able to get "a" privs
> anywhere below it.  But that's exactly what this "implicit a privs for
> a directory's owner" provides.

Good point, but one question immediately arises: why was the other
obvious solution discarded? The other one being as follows. Suppose your
scenario with a teacher, who owns and has "a" at dir1 plus a bunch of
students, who own dir1/student1, dir1/student2 etc and have "a" in their
respective directories. Suppose teacher also wants to have "a" on all
subdirectories of dir1. Now, your problem can be solved by allowing
anyone with "a" access to dir1 to alter the ACLs on all its subdirs. This
way, if a student removes the teacher from the ACL of dir1/student1, the
teacher can always grant oneself the access again. I fail to see which
security holes this would open, although I wouldn't be surprised if it
does since the regular unix filesystems and chmod/chown do not seem to
allow this either.

-Juha

--=20
		 -----------------------------------------------
		| Juha J=C3=A4ykk=C3=A4, juolja@utu.fi			|
		| home: http://www.utu.fi/~juolja/		|
		 -----------------------------------------------

--Sig_.JykqoIxnulVfu1SZtOaWg4
Content-Type: application/pgp-signature; name=signature.asc
Content-Disposition: attachment; filename=signature.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFFu9vbSqzK5nsyX0kRAhN2AJ4rnsVCr+WFAkafwFuRRMosFxPiHwCaAgmI
6Hdhf6hI1bQpKXfIuJN/yt4=
=33G7
-----END PGP SIGNATURE-----

--Sig_.JykqoIxnulVfu1SZtOaWg4--