>>In conventional Unix, I can set a directory to "drwx--x--x" permissions >>and then create subdirectories which users can access by name. This is >>useful because no one can access files they don't know the name of. >>However, I've just migrated to a new system that uses OpenAFS, and I >>can't figure out a way to accomplish this. I tried the obvious thing of >>setting the ACL to just "r", but apparently without the "l" permission, >>nothing else works. Is there any other way to do this? > >No. I'm afraid AFS doesn't support this.
That's rather unfortunate as it makes it very difficult to work the way I want to. One thing I wanted to do was share files with unauthenticated users in other cells without exposing them to the whole world. Although ACLs are useful, I've noticed that AFS has some serious limitations compared to normal Unix filesystem permissions. Does anyone know what the thinking was behind these decisions? Here's a couple of things I would do differently (could these be considered feature requests?) 1) Restore the ability to have "hidden" directories, for example, by paying attention to the "r" and "x" permissions on directories, or by creating a new ACL that could be used in place of "l" (maybe "s" for seek?). Also, some equivalent to the "t" directore mode bit would be useful (allowing users to create delete files, but only if they are the owner) 2) The per-directory limitation on permissions is quite onerous, especially considering that AFS already stores the mode bits. Would it be possible to make the AFS server pay more attention to the Unix chmod permissions on individual files? The user bits would restrict the user from reading/writing their own files, the "other" bits would limit the system:an"yser" account, and the "group" bits would limit the other users that are explicitly mentioned in the ACL. These mode bits would be subtractive to permissions, i.e. no one would have more permissions than the ACL granted. This would allow me, for example, to give system:anyuser "rl" access in my home directory, while still restricting certain dotfiles that I don't want people to see, without having to put symlinks for half my files. I think these changes would make AFS a lot more acceptable to people accustomed to working with most other Unix filesystems. Tom _________________________________________________________________ Get faster connections�-- switch to�MSN Internet Access! http://resourcecenter.msn.com/access/plans/default.asp _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
