[OpenAFS] Re: Ideas for finer grain set acl controls

Russ Allbery rra@stanford.edu
Thu, 12 Nov 2009 13:34:50 -0800

Andrew Deason <adeason@sinenomine.net> writes:
> Russ Allbery <rra@stanford.edu> wrote:

>> It's not as important as being able to block system:anyuser, but yes,
>> I'd ideally like to be able to block arbitrary PTS groups from being
>> added to ACLs with "all" or "write" access.

> Thanks for being the first to speak up, but I want to make clear that
> this sub-thread was specifically about system:authuser restrictions,
> since it's kind of a special case. Blocking "arbitrary PTS groups" from
> getting certain rights in ACLs has issues.

I don't see much utility in blocking system:authuser specifically.

system:anyuser is the low-hanging fruit.  Outside of system:anyuser, I
think the next meaningful level of feature is blocking arbitrary
admin-specified groups or users from being given write or admin access.
I don't think system:authuser is sufficiently interesting to be worth a
lot of attention outside of supporting arbitrary restrictions.

> The thing is, for the non-special groups (i.e. most groups), blocking a
> specific group people.foo in an ACL doesn't do much. Since you can just
> 'pts add people.foo adeason:foo', and then put adeason:foo in the ACL.
> Unless we also change the permissions of supergroup creation or
> something, there's not really a way around that.

That's okay.  I don't need something that can't be worked around, just
something that catches users who don't knowo what they're doing.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>