On Thu, 16 Sep 2010 18:07:45 -0400 Steve Simmons <[email protected]> wrote:
> When I attach a USB device or hard drive, I expect it to be local. > Sharing of local devices is almost never a default. The fact that > someone attaches their sensitive data to an AFS device name shouldn't > mean their data is suddenly shared. Least surprise applies, and > security. > > What do acls mean at that point? If I mount something on > /afs/.../scs/dev/hda3 and the acls for my account say it's publicly > readable, can anyone in afsland mount and read my device? Speaking as just a user... my first impression of this is that doing that wouldn't expose the local drive to AFS-land. Rather, any machine accessing /afs/.../scs/dev/hda3 would try to access the local device with major number 8, minor 32 (or whatever you made it with, and however the client interprets the block dev). Exposing the block device to AFS-space I think would involve some more AFS-specific or application-specific knowledge of what's going on. Otherwise, how do you know which client has the device? I'd expect other special files to have similar issues, though. You wouldn't normally expect with a fifo or domain socket to be worried about accesses from foreign networks. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
