"Brandon S. Allbery KF8NH" wrote:
> If a directory foo is ACLed to forbid access to someone, they cannot access
> foo/bar even if an ACL on foo/bar grants them access because getting there
> requires traversal of foo. They can, however, get to foo/bar if an ACL on
> foo grants them "l" access.
This is mostly true.
Existing AFS client implementations will not traverse the forbidden
directory, so you can't build a layout like that and expect it to work.
In that sense, Brandon is right.
However, the file *server* considers the subdirectory to be fair game
if someone magics up the right RPC and fetches the directory (which
probably wouldn't be all that hard). So you can't build a layout like
that and expect the subdirectories to be private, either...
