[OpenAFS] permission to run 'fs examine'

Richard Brittain Richard.Brittain@dartmouth.edu
Fri, 18 Mar 2016 14:33:00 -0400


--------------ms070306040709030305000304
Content-Type: text/plain; format=flowed; charset="US-ASCII"

Thanks.  I figured it was probably benign.

-- 
Richard Brittain,  Research Computing Group,
                    IT Services, 37 Dewey Field Road, HB6219
                    Dartmouth College, Hanover NH 03755
Richard.Brittain@dartmouth.edu 603-646-2085
--------------ms070306040709030305000304
Content-Type: multipart/mixed; boundary="------------060305090206000109070202"
Content-ID: <alpine.LRH.2.20.1603181432102.18795@polaris.dartmouth.edu>
Content-Description:

--------------060305090206000109070202
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.LRH.2.20.1603181432103.18795@polaris.dartmouth.edu>

This change occurred in 2012.  See http://gerrit.openafs.org/7705

The "fs examine" command causes the cache manager to issue a
RXAFS_GetVolumeStatus RPC.  The returned data is publicly accessible via
the volserver RPCs so there was no benefit to locking it down via the
fileserver RPCs.

The Windows operating system requires knowledge of the volume size, free
space, quota and other statistics independent of the access rights of
the user processes.  See the commit message for further details.

Jeffrey Altman


On 3/17/2016 3:43 PM, Richard Brittain wrote:
> I discovered an apparent change in the access control on "fs examine"
> recently.  The docs say you need 'r' access on the root of the volume
> for this to work, and that definitely used to work.  We use this inside=

> a wrapper script for more convenient quota checking, and I was used to
> getting the permission errors, but not any more.
>=20
> Now it seems to work all the time regardless of tokens or volume ACL,
> from clients on Linux, Mac and Windows.  Our servers are a mishmash of
> versions.  The DBs are 1.6.14.1 and 1.6.5, and the file servers 1.6.9
> and 1.6.14.1.  If this access control is a function of the DB servers,
> then the timing of our upgrade to 1.6.14.1 might be consistent with whe=
n
> this started.
>=20
> PRIVILEGE REQUIRED
>    The issuer must have the "r" (read) permission on the ACL of the roo=
t
> directory of the volume that
>    houses the file or directory named by the -path argument, and "l"
> (list) permission on the ACL of each
>    directory that precedes it in the pathname.
>=20
>=20
> Richard

--------------060305090206000109070202
Content-Type: text/x-vcard; charset="utf-8"; name="jaltman.vcf"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.LRH.2.20.1603181432104.18795@polaris.dartmouth.edu>
Content-Disposition: attachment; filename="jaltman.vcf"

begin:vcard
fn:Jeffrey Altman
n:Altman;Jeffrey
org:AuriStor, Inc.
adr:Suite 6B;;255 West 94Th Street;New York;New York;10025-6985;United St=
ates
email;internet:jaltman@auristor.com
title:Founder and CEO
tel;work:+1-212-769-9018
note;quoted-printable:LinkedIn: https://www.linkedin.com/in/jeffreyaltman=
=3D0D=3D0A=3D
	Skype: jeffrey.e.altman=3D0D=3D0A=3D
=09
url:https://www.auristor.com/
version:2.1
end:vcard


--------------060305090206000109070202--

--------------ms070306040709030305000304--