[OpenAFS] Re: fs setacl and permissions

Bob Cook bobcook@slac.stanford.edu
Mon, 29 Jan 2007 22:54:08 -0800 (PST)


On Sun, 28 Jan 2007, Juha [UTF-8] J=C3=A4ykk=C3=A4 wrote:

>> So what it really comes down to is this: I claim that, if someone who
>> "owns" a directory (i.e. has "explicit" a privs) defines a subdirectory
>> and restricts someone else to non-a privs there, it is really a
>> security breach for that someone else to be able to get "a" privs
>> anywhere below it.  But that's exactly what this "implicit a privs for
>> a directory's owner" provides.
>
>Good point, but one question immediately arises: why was the other
>obvious solution discarded? The other one being as follows. Suppose your
>scenario with a teacher, who owns and has "a" at dir1 plus a bunch of
>students, who own dir1/student1, dir1/student2 etc and have "a" in their
>respective directories. Suppose teacher also wants to have "a" on all
>subdirectories of dir1. Now, your problem can be solved by allowing
>anyone with "a" access to dir1 to alter the ACLs on all its subdirs. This
>way, if a student removes the teacher from the ACL of dir1/student1, the
>teacher can always grant oneself the access again. I fail to see which
>security holes this would open, although I wouldn't be surprised if it
>does since the regular unix filesystems and chmod/chown do not seem to
>allow this either.

I'm not an expert on this stuff, but two things occur to me.  One is that
your "obvious solution" doesn't allow me a different scenario.  Suppose I
want to allocate a subdirectory to someone else and turn over ALL control
to that person; i.e., I don't want to be involved any more; I don't want to
have ANY privileges in the new directory.  With my scenario, I can easily
remove myself after adding rlidwka for the new "owner".  But with yours, I
can't.

The other is that your solution doesn't allow me to allocate a subdirectory
to someone or group with permissions more restricted than rlidwk, because t=
he
person/group can regain all those permissions in the subdirectories they
create, and I can't prevent it.