On Mon, Jan 18, 2010 at 2:32 PM, Derrick Brashear <[email protected]> wrote: > On Mon, Jan 18, 2010 at 2:26 PM, Adam Megacz <[email protected]> wrote: >> >> Jeffrey Altman <[email protected]> writes: >>> One of the reasons for this approach is that file servers do not process >>> paths when responding to the cache manager requests. >> >> I was actually stunned by this when I read vnode.c/viced.c... apparently >> RENAME is the only operation that walks to the root of the directory >> hierarchy (because the fileserver must guard against cyclic directory >> paths). Surprising! >> >> Does this mean that if we have a setup like this: >> >> mkdir foo >> fs sa foo system:anyuser rlidw >> mkdir foo/bar >> fs sa foo system:anyuser none >> >> That anonymous users can access "foo/bar/", so long as they know the FID >> for "bar" -- either because the fourth command wasn't executed >> immediately after the third, or else because they were simply patient >> enough to guess it? > > Doesn't mean that in the slightest. Note that foo/bar/ is a directory > and not actual data, but, the case is the same regardless. > Permissions are enforced for every vnode. Look at > Check_PermissionRights in afsfileprocs.c
Actually, reading that again, it means what you said, I think. The ACL on a directory conveys the rights it conveys. Don't set the ACL on a directory to something you don't mean. Nothing else is advertised. _______________________________________________ AFS3-standardization mailing list [email protected] http://michigan-openafs-lists.central.org/mailman/listinfo/afs3-standardization
