[OpenAFS] permission to run 'fs examine'

Richard Brittain Richard.Brittain@dartmouth.edu
Fri, 18 Mar 2016 14:33:00 -0400

Content-Type: text/plain; format=flowed; charset="US-ASCII"

Thanks.  I figured it was probably benign.

Richard Brittain,  Research Computing Group,
                    IT Services, 37 Dewey Field Road, HB6219
                    Dartmouth College, Hanover NH 03755
Richard.Brittain@dartmouth.edu 603-646-2085
Content-Type: multipart/mixed; boundary="------------060305090206000109070202"
Content-ID: <alpine.LRH.2.20.1603181432102.18795@polaris.dartmouth.edu>

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.LRH.2.20.1603181432103.18795@polaris.dartmouth.edu>

This change occurred in 2012.  See http://gerrit.openafs.org/7705

The "fs examine" command causes the cache manager to issue a
RXAFS_GetVolumeStatus RPC.  The returned data is publicly accessible via
the volserver RPCs so there was no benefit to locking it down via the
fileserver RPCs.

The Windows operating system requires knowledge of the volume size, free
space, quota and other statistics independent of the access rights of
the user processes.  See the commit message for further details.

Jeffrey Altman

On 3/17/2016 3:43 PM, Richard Brittain wrote:
> I discovered an apparent change in the access control on "fs examine"
> recently.  The docs say you need 'r' access on the root of the volume
> for this to work, and that definitely used to work.  We use this inside=

> a wrapper script for more convenient quota checking, and I was used to
> getting the permission errors, but not any more.
> Now it seems to work all the time regardless of tokens or volume ACL,
> from clients on Linux, Mac and Windows.  Our servers are a mishmash of
> versions.  The DBs are and 1.6.5, and the file servers 1.6.9
> and  If this access control is a function of the DB servers,
> then the timing of our upgrade to might be consistent with whe=
> this started.
>    The issuer must have the "r" (read) permission on the ACL of the roo=
> directory of the volume that
>    houses the file or directory named by the -path argument, and "l"
> (list) permission on the ACL of each
>    directory that precedes it in the pathname.
> Richard

Content-Type: text/x-vcard; charset="utf-8"; name="jaltman.vcf"
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <alpine.LRH.2.20.1603181432104.18795@polaris.dartmouth.edu>
Content-Disposition: attachment; filename="jaltman.vcf"

fn:Jeffrey Altman
org:AuriStor, Inc.
adr:Suite 6B;;255 West 94Th Street;New York;New York;10025-6985;United St=
title:Founder and CEO
note;quoted-printable:LinkedIn: https://www.linkedin.com/in/jeffreyaltman=
	Skype: jeffrey.e.altman=3D0D=3D0A=3D