[OpenAFS-port-darwin] Unix permission bits

Sebastian Hagedorn Hagedorn@uni-koeln.de
Wed, 04 Feb 2004 10:23:25 +0100 

--==========1507635E16B88731B667==========
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Hi,

--On Dienstag, 3. Februar 2004 22:33 Uhr -0800 Chuck Boeheim=20
<boeheim@SLAC.Stanford.EDU> wrote:

> Thanks for your replies.   The afssettings seems to work as
> advertised.  It took me a little bit to come up with a case
> that was affected by this.  To have GUI problem, you have
> to have
>
> 1) a file or directory not owned by your uid.
> 2) an ACL that lets you in with your current token
> 3) group or other permission bits that contradict the ACL.
>
> Correct?

yes, that's how I understand it.

> I actually had to construct a test case, since
> I couldn't readily find one that failed.  Perhaps that's
> because our umask is typically 022 and files and directories
> are readable by group and other.  Do other sites see
> common failures?

I used to see it all the time. One of the problems was admittedly that my=20
local UID differed from my AFS UID - a stupid move, as it turned out.=20
Still, the change in 1.2.10a made that setup work. Since many or most Mac=20
users don't have the faintest idea how to change their local UID, to me it=20
seems as though that would be rather common scenario.

> I would argue that RealModes =3D true should be the default
> for two reasons:
>
> 1) A user copying files to AFS for archival via 'cp -rp' or
> rsynch will have all his files made world-writable when
> copying them back from AFS to the local file system.
> That's a pretty big security exposure, since the files
> could contain ssh keys, grid certificates, etc.

Most Macs are single-user anyway. You're are right in principle, but I=20
think the current setting is the more pragmatic one for the time being.

Cheers, Sebastian Hagedorn
--
Sebastian Hagedorn M.A. - RZKR-R1 (Geb=E4ude 52), Zimmer 18
Zentrum f=FCr angewandte Informatik - Universit=E4tsweiter Service RRZK
Universit=E4t zu K=F6ln / Cologne University - Tel. +49-221-478-5587
--==========1507635E16B88731B667==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iEYEARECAAYFAkAgug0ACgkQGXsGmU0QW0X5kwCfb/i+snW1P/Zm8uC++X42IgCc
NzwAoPpRh1dHHugWWlC/8+KXPN620uuC
=JeXi
-----END PGP SIGNATURE-----

--==========1507635E16B88731B667==========--