[OpenAFS] Re: [OpenAFS-devel] Re: [AFS3-std] Changing RXAFS_GetVolumeStatus
access check to support volume lock down
Sun, 15 Jul 2012 12:55:21 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
On 7/6/2012 9:16 AM, Harald Barth wrote:
> From: Jeffrey Altman <email@example.com>
> Subject: Re: [OpenAFS-devel] Re: [AFS3-std] Changing RXAFS_GetVolumeSta=
tus access check to support volume lock down
> Date: Thu, 05 Jul 2012 18:48:26 -0400
>> On 7/5/2012 1:23 PM, Jeffrey Hutzelman wrote:
>>> I think it is fine to skip access control checks on this call entirel=
>>> As you point out, the information available via this RPC is also
>>> available to unauthenticated clients via the volserver.
>> I have modified http://gerrit.openafs.org/#change,7705 to remove all
>> access control checks. I was being conservative by changing the check=
>> to RXAFS_LOOKUP but I am in agreement that the check is not needed at =
> My cents after sleeping on it...
> When there is another door open to access the building, it is not very
> useful to check ID cards at the other.
Based upon the few comments that were received, I'm going to go ahead
and approve http://gerrit.openafs.org/#change,7705 with the intention
that this change be incorporated in the 1.6.2 release.
> If this would be "restricted information" then one would have to
> (1) Close the unauthenticated method
> (2) Figure out what WOULD BE a useful access restriction. I think
> that (l) on the volume root is not good. The right access
> restriction would IMHO be "open for any user that has (w) or (i)
> in any directory of the volume". That check is a little more
> tricky to implement but we don't need to think about it until (1)
> is changed.
I will start a new thread on openafs-devel to discuss the question of
viable authorization checks on the VL and VOL interfaces since at the
moment there is no authorization data to use to enforce such checks.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
-----END PGP SIGNATURE-----