On Monday, October 30, 2006 07:12:10 PM -0500 Derek Atkins <[EMAIL PROTECTED]> wrote:
It's a security hole to allow anyone with write access to gain administrative priviledges just through "mkdir".
Well, you only gain bits with respect to the thing you created, so no, that's not really a hole. However, there are plenty of people who don't like that behavior, and apparently one of them decided to "fix" it by removing implicit admin access for directory owners (looking at the history, it appears this was fileserver-no-implicit-a-for-directory-owners-20020612, written by probe and committed by zacheiss. Note that this change never appeared on the 1.2.x branch, but has always been present in 1.4.
The solution CMU settled on many years ago was to require both 'i' and 'w' to create subdirectories; this allowed you to have a dropbox where anyone could create a file without also letting people create private directories and steal quota. This feature can be turned on by compiling with -DDIRCREATE_NEED_WRITE, though there is no configure switch for that and it won't restore the implicit-admin behavior.
I do not believe there is a compilation flag to revert
No, there is not; the code to do this just isn't there any more. -- Jeff _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
