[OpenAFS] transitive "fs la"?
Todd M. Lewis
Todd M. Lewis" <firstname.lastname@example.org
Mon, 03 Sep 2007 02:11:06 -0400
Todd M. Lewis wrote:
> Derrick J Brashear wrote:
>> On Sun, 2 Sep 2007, Adam Megacz wrote:
>>> A user's rights on a directory are effectively moot unless s/he has
>>> "l" permissions on every ancestor directory (up to the volume root).
>>> So you could say that the "transitive" acl of a directory is its acl
>>> minus permissions which cannot currently be exercised by virtue of the
>>> acls on its ancestors.
>>> I'm interested in a simple utility to print out this sort of effective
>>> acl. For bonus points, query the pts database and factor in group
>>> membership (for example, a group you belong to has "l" on parent and
>>> you personally have "l" on the directory itself).
>>> Has anybody written this already, or should I take a crack at it?
>> You can probably use "ws" as a basis. See ws.c in my homedir in the
>> andrew cell.
> Go ahead, knock yourself out. Just keep in mind that the volume
> containing the directory you're interested in may be mounted in multiple
> places, and while the user may not have "l" rights all the way up the
> tree from one mountpoint, she might well have them from another.
> For this reason, you might want to include in your results two distinct
> reports: whether "l" is available from the given directory up to the
> root level of the containing volume, and a separate indication of
> whether the user has "l" rights up the tree in the given path to /afs.
> You might also want to make some decisions before you start writing code
> about how this would work when run by an admin (who could see all the
> ACLs) vs. a generic user (who may not).
One more thing. The "generic user" running this utility may or may not
be the subject of the query. For example, I may want to check whether I
have "l" all the way up from a given spot. Alternatively I might
occasionally want to grant Doug access to some directory, but I'd need
to run your utility on that directory with Doug as the subject user
rather than myself to see if he can in fact get to the data.
So that's three scenarios: Admin testing a directory wrt an arbitrary
subject user, Joe user testing a directory wrt himself, and Joe user
testing a directory wrt some other user. Or a group. Ooooh, with
groups, that's, like, six scenarios. Or multiple users and/or groups at
once. Gee, I didn't realize how badly I need this utility.
I'll stop now, or you may never get it written. :)