Adam Megacz <a...@megacz.com> writes: > Jeffrey Altman <jalt...@secure-endpoints.com> writes:
>> If you want to apply a different policy to a sub tree within the volume >> user.foo, then you would split the volume at the directory where you >> want the new policy to take effect and apply the policy to the new >> volume. > Then what you really meant was "it's not terribly useful to superusers > unless you always use it at the volume root". > I can agree with that statement. I believe it's more than not terribly useful. I believe it actually doesn't work if applied to arbitrary directories due to the way the AFS wire protocol works and the way the file server thinks about objects. What volume a given file is included in is something that stays consistent in AFS. The *data* can be moved between volumes, but the file isn't. To move a file to another volume, you're actually deleting the old one and creating a new one. To some extent this is also true of what directory a file is contained in, due to disallowing cross-directory hardlinks and whatnot. But what directory *tree* a file is part of is ill-defined and could be changing dynamically during the operation because someone is moving directories around. Ascending a directory tree is an ill-defined operation. This is generally true in UNIX file systems as well, by the way. It's not particularly difficult to confuse getcwd(), which is the same algorithm that would be required to determine transitive ACLs at a directory level. I do it all the time by accident. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
