Andrew Deason
Mon, 18 Jan 2010 12:11:07 -0800
On Mon, 18 Jan 2010 14:32:56 -0500 Derrick Brashear <sha...@gmail.com> wrote:
> > Does this mean that if we have a setup like this: > > > > mkdir foo > > fs sa foo system:anyuser rlidw > > mkdir foo/bar > > fs sa foo system:anyuser none > > > > That anonymous users can access "foo/bar/", so long as they know > > the FID for "bar" -- either because the fourth command wasn't > > executed immediately after the third, or else because they were > > simply patient enough to guess it? > > Doesn't mean that in the slightest. Note that foo/bar/ is a directory > and not actual data, but, the case is the same regardless. > Permissions are enforced for every vnode. Look at > Check_PermissionRights in afsfileprocs.c I'm not sure if I'm misunderstanding you or Adam... because, yes it does mean that. You can access files in foo/bar/ if you have the rights on foo/bar/; the rights on foo/ do not come into play. Right? So if you have rl on foo/bar/ but nothing on foo/, you can still read files in foo/bar/ provided you know their FID. -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel