[OpenAFS] Re: Ideas for finer grain set acl controls

Christopher D. Clausen cclausen@acm.org
Thu, 12 Nov 2009 14:59:56 -0600

Alf Wachsmann <alfw@slac.stanford.edu> wrote:
> On Thu, 12 Nov 2009, Russ Allbery wrote:
>> Andrew Deason <adeason@sinenomine.net> writes:
>>> In other words: *** PLEASE SPEAK UP *** if you want to be able to
>>> prevent normal users from doing something like "fs setacl ${HOME}
>>> system:authuser rlidwka" even when they have the 'a' bit on ${HOME}.
>>> Even if it's just "+1, yes, I want that", please say something.
>> It's not as important as being able to block system:anyuser, but
>> yes, I'd ideally like to be able to block arbitrary PTS groups from
>> being added to ACLs with "all" or "write" access.
> What he said. I would like that feature.

Me too!

Also, I would like separate "change acl" and "add mount point" 
permissions.  I often end up granting "a" just so that users can add 
mount points as I see mount points as one of the key benefits of AFS. 
The end user can define their view of the file space and not have to 
resort to hard-coded things like symlinks or hardlinks.

Some users just cannot be trusted to manage their own ACLs though.