[OpenAFS] Windows app to recursively apply ACLs - AFSACL

Pedro de Oliveira falsovsky@gmail.com
Fri, 9 May 2014 15:59:28 +0100


--089e0160b4201f09e604f8f8d8a9
Content-Type: text/plain; charset=UTF-8

Hi Jeffrey thanks for replying.

On Fri, May 9, 2014 at 3:40 PM, Jeffrey Altman <jaltman@your-file-system.com
> wrote:

> On 5/9/2014 6:22 AM, Pedro de Oliveira wrote:
> > Hi,
> >
> > I want to announce a little app that I made at work that allows to apply
> > OpenAFS ACLs recursively on Windows. Because the current way to apply
> > acls on Windows is a bit difficult for normal users.
>
> I am concerned that this application can cause serious harm as currently
> implemented.
>
> https://github.com/falsovsky/ACLAFS/blob/master/screenshot.png
>
> It does not show the end user the current list of permissions for all
> groups and users included in the ACL.  It does not provide a mechanism
> to "clean" the ACL nor does it handle negative ACLs.  All of which are
> provided in the AFS Explorer Shell Extension provided with the OpenAFS
> distribution.  Select the object to be modified in the Explorer Shell,
> right-click to display the context menu and select Properties.  The "AFS
> ACL" tab provides the user to ability to adjust the ACLs.
>

It only shows the permissions for the user/group typed in the "identifier".
It allows to "clean" the ACL, just uncheck which ones you want to remove,
or unselect all and it will use setacl none.


>
> In addition, the recursive behavior crosses volume boundaries because it
> is unaware of mount points and symlinks.  The side effect of this tool
> is that it will add/modify the specified user/group to the ACL of every
> object that can be reached as a subdirectory.   It will not follow the
> behavior of Windows that when applying recursive security permissions
> that the permissions on the children object must match those set on the
> parent.
>

Yes, that can happen, but in our case the users wont do any of those
costumizations (more mount points, symlinks etc), only a mapped to the AFS
"share", so thats no a problem for us ATM.
We just needed a quick and easy way to apply ACLs recursively and I did
this as a quick tool to help out users and my fellow sysadmins. I know its
not perfect, but its usefull enough to do the stuff we need. So thats why I
shared it, because it can help out more people.


>
> Many organizations today have experienced unintentional data exposures
> or breaches due to incorrectly set ACLs in AFS.  I believe this tool as
> currently implemented will make such exposures more likely.
>
> Instead of deploying a new graphical tool to set ACLs I would prefer
> that you modify the Explorer Shell extension to support cloning the
> permission list defined by the user to child objects within the same
> volume.  That will be consistent with existing Windows behavior and will
> be consistent with end user expectations that ACLs be set via the object
> Properties.
>
>
I would like to help out with that, but I dont believe I have enough
knowledge about OpenAFS and Windows internals to make those changes. I can
try it out if anyone is willing to mentor me.

Regards,
Pedro de Oliveira


> Thank you.
>
> Jeffrey Altman
>
>
>
>

--089e0160b4201f09e604f8f8d8a9
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi Jeffrey thanks for replying.<br><div class=3D"gmail_ext=
ra"><br><div class=3D"gmail_quote">On Fri, May 9, 2014 at 3:40 PM, Jeffrey =
Altman <span dir=3D"ltr">&lt;<a href=3D"mailto:jaltman@your-file-system.com=
" target=3D"_blank">jaltman@your-file-system.com</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div class=3D"">On 5/9/2014 6:22 AM, Pedro de Oliveira wro=
te:<br>

&gt; Hi,<br>
&gt;<br>
&gt; I want to announce a little app that I made at work that allows to app=
ly<br>
&gt; OpenAFS ACLs recursively on Windows. Because the current way to apply<=
br>
&gt; acls on Windows is a bit difficult for normal users.<br>
<br>
</div>I am concerned that this application can cause serious harm as curren=
tly<br>
implemented.<br>
<br>
<a href=3D"https://github.com/falsovsky/ACLAFS/blob/master/screenshot.png" =
target=3D"_blank">https://github.com/falsovsky/ACLAFS/blob/master/screensho=
t.png</a><br>
<br>
It does not show the end user the current list of permissions for all<br>
groups and users included in the ACL. =C2=A0It does not provide a mechanism=
<br>
to &quot;clean&quot; the ACL nor does it handle negative ACLs. =C2=A0All of=
 which are<br>
provided in the AFS Explorer Shell Extension provided with the OpenAFS<br>
distribution. =C2=A0Select the object to be modified in the Explorer Shell,=
<br>
right-click to display the context menu and select Properties. =C2=A0The &q=
uot;AFS<br>
ACL&quot; tab provides the user to ability to adjust the ACLs.<br></blockqu=
ote><div><br></div><div>It only shows the permissions for the user/group ty=
ped in the &quot;identifier&quot;.</div><div>It allows to &quot;clean&quot;=
 the ACL, just uncheck which ones you want to remove, or unselect all and i=
t will use setacl none.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
In addition, the recursive behavior crosses volume boundaries because it<br=
>
is unaware of mount points and symlinks. =C2=A0The side effect of this tool=
<br>
is that it will add/modify the specified user/group to the ACL of every<br>
object that can be reached as a subdirectory. =C2=A0 It will not follow the=
<br>
behavior of Windows that when applying recursive security permissions<br>
that the permissions on the children object must match those set on the<br>
parent.<br></blockquote><div><br></div><div>Yes, that can happen, but in ou=
r case the users wont do any of those costumizations (more mount points, sy=
mlinks etc), only a mapped to the AFS &quot;share&quot;, so thats no a prob=
lem for us ATM.</div>
<div>We just needed a quick and easy way to apply ACLs recursively and I di=
d this as a quick tool to help out users and my fellow sysadmins. I know it=
s not perfect, but its usefull enough to do the stuff we need. So thats why=
 I shared it, because it can help out more people.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px =
0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-l=
eft-style:solid;padding-left:1ex">
<br>
Many organizations today have experienced unintentional data exposures<br>
or breaches due to incorrectly set ACLs in AFS. =C2=A0I believe this tool a=
s<br>
currently implemented will make such exposures more likely.<br>
<br>
Instead of deploying a new graphical tool to set ACLs I would prefer<br>
that you modify the Explorer Shell extension to support cloning the<br>
permission list defined by the user to child objects within the same<br>
volume. =C2=A0That will be consistent with existing Windows behavior and wi=
ll<br>
be consistent with end user expectations that ACLs be set via the object<br=
>
Properties.<br>
<br></blockquote><div><br></div><div>I would like to help out with that, bu=
t I dont believe I have enough knowledge about OpenAFS and Windows internal=
s to make those changes. I can try it out if anyone is willing to mentor me=
.</div>
<div><br></div><div>Regards,</div><div>Pedro de Oliveira</div><div>=C2=A0</=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:sol=
id;padding-left:1ex">

Thank you.<br>
<span class=3D""><font color=3D"#888888"><br>
Jeffrey Altman<br>
<br>
<br>
<br>
</font></span></blockquote></div><br></div></div>

--089e0160b4201f09e604f8f8d8a9--