[OpenAFS] Re: Ideas for finer grain set acl controls

Andrew Deason adeason@sinenomine.net
Thu, 12 Nov 2009 14:51:45 -0600

On Thu, 12 Nov 2009 12:23:20 -0800
Russ Allbery <rra@stanford.edu> wrote:

> Andrew Deason <adeason@sinenomine.net> writes:
> > In other words: *** PLEASE SPEAK UP *** if you want to be able to
> > prevent normal users from doing something like "fs setacl ${HOME}
> > system:authuser rlidwka" even when they have the 'a' bit on ${HOME}.
> > Even if it's just "+1, yes, I want that", please say something.
> It's not as important as being able to block system:anyuser, but yes,
> I'd ideally like to be able to block arbitrary PTS groups from being
> added to ACLs with "all" or "write" access.

Thanks for being the first to speak up, but I want to make clear that
this sub-thread was specifically about system:authuser restrictions,
since it's kind of a special case. Blocking "arbitrary PTS groups" from
getting certain rights in ACLs has issues. Such issues been discussed
elsewhere, but really quickly for everyone:

The thing is, for the non-special groups (i.e. most groups), blocking a
specific group people.foo in an ACL doesn't do much. Since you can just
'pts add people.foo adeason:foo', and then put adeason:foo in the ACL.
Unless we also change the permissions of supergroup creation or
something, there's not really a way around that.

So we have some different mechanisms for 'normal' groups, but those are
outlined in that big "3 methods" email.

Andrew Deason