[OpenAFS] Methods of Restricting AFS3 ACL rights

Andrew Deason adeason@sinenomine.net
Wed, 13 Jan 2010 11:17:32 -0600

To all AFS users and administrators,

Recently, the OpenAFS community has been discussing potential methods
of restricting ACL modifications. In other words, possible ways of
preventing just any user with 'a' rights from granting 'rlidwka'
rights to system:anyuser, if the administrator wants to prevent it.

Since the way we go about doing this is potentially very visible to
both AFS administrators and users, we are asking any interested
parties from the wider AFS community to voice their opinions. The
explanation for the various methods now exists as an Internet Draft,
and can be found here:


This is just to explore the options and get feedback. We would
appreciate it if you let us know of any problems or concerns you may
have the described approaches, or if you support the ideas (even if it's
just "I want this feature but don't have time to read the document").

We are aiming to start work on standardizing the mechanisms for actually
implementing one of these methods in early February at the latest, so
please try to express feedback by then, if you can.

Andrew Deason