[OpenAFS] transitive "fs la"?

Garance A Drosihn drosih@rpi.edu
Tue, 4 Sep 2007 18:30:51 -0400


At 5:45 PM -0700 9/2/07, Adam Megacz wrote:
>A user's rights on a directory are effectively moot unless s/he has
>"l" permissions on every ancestor directory (up to the volume root).
>So you could say that the "transitive" acl of a directory is its acl
>minus permissions which cannot currently be exercised by virtue of the
>acls on its ancestors.
>
>I'm interested in a simple utility to print out this sort of effective
>acl.  For bonus points, query the pts database and factor in group
>membership (for example, a group you belong to has "l" on parent and
>you personally have "l" on the directory itself).
>
>Has anybody written this already, or should I take a crack at it?

I have a script written in ruby which does something kind-of along
the lines of what you want.  You can get the script at:

http://people.freebsd.org/~gad/tools/pathls

#   This program is an alternative to `ls -ld'.  For each pathname given
#   (i.e., "filename with a `/' in it"), this will show lstat-related
#   info for each segment in that path, followed by info on the original
#   pathname.

You'd want to run it with the --minafs option.  Here's a sample,
looking at three pathnames:

(43) pathls --minafs ~drosehn ~drosehn/public_html ~drosehn/private
  1.01]  l0777 -rl:NIL-   root     root     2001H16 /home
                                                 -> /afs/rpi.edu/home
   .02]  d0755 -rl:NIL-   daemon   user     2007H27 /home/37
   .03]  d0775 -l:NIL-    drosehn  user     2007H23 /home/37/drosehn
  2.04]  d0777 -NIL:NIL-  drosehn  user     2007H23 /home/37/drosehn/private
  3.04]  d0777 -rl:NIL-   drosehn  g:20     2007F02 /home/37/drosehn/public_html


I wrote this because I'd hit an access error getting to some file deep
in AFS directories, and I'd have to go through each section of the path
to find out where the error was.  That was complicated by the fact that
we had a few symlinks at odd places, so you'd think you were in one part
of AFS, and you'd suddenly bounce over to a very different part.  I also
wanted to produce as dense an output as possible, while still showing me
all the info I might be interested in.  Also, we had a problem at the
time where we had some directories permitted to system:anyuser which
really should not have been.

The column with '-rl:NIL-' for the first entry is the column which
shows up when you specify --minafs.  It shows the access for
system:anyuser and system:authuser, separated by a colon.  Thus:

   "-rl:NIL-"  means:  system:anyuser has read+lookup access
                   and system:authuser is "Not in List" (it has
                                           no specific access).

Note that --minafs only shows the access granted to those two AFS groups.
There is also a --listacl option, but that simply prints the output of
'fs listacl' for each path, and I didn't come up with any special
formatting for it.

There is no write-up for it, so you'd have to look at the source code
to see what options it supports.  And it's nothing more than "what I
wanted at the time", which may not be what anyone else would want.  I
wrote it about two years ago, so my memory of it is rather foggy.

Still, there are times when it has been very useful for me.

-- 
Garance Alistair Drosehn            =   gad@gilead.netel.rpi.edu
Senior Systems Programmer           or  gad@freebsd.org
Rensselaer Polytechnic Institute    or  drosih@rpi.edu