On Thu, 12 Nov 2009 12:23:20 -0800 Russ Allbery <[email protected]> wrote:
> Andrew Deason <[email protected]> writes: > > > In other words: *** PLEASE SPEAK UP *** if you want to be able to > > prevent normal users from doing something like "fs setacl ${HOME} > > system:authuser rlidwka" even when they have the 'a' bit on ${HOME}. > > > Even if it's just "+1, yes, I want that", please say something. > > It's not as important as being able to block system:anyuser, but yes, > I'd ideally like to be able to block arbitrary PTS groups from being > added to ACLs with "all" or "write" access. Thanks for being the first to speak up, but I want to make clear that this sub-thread was specifically about system:authuser restrictions, since it's kind of a special case. Blocking "arbitrary PTS groups" from getting certain rights in ACLs has issues. Such issues been discussed elsewhere, but really quickly for everyone: The thing is, for the non-special groups (i.e. most groups), blocking a specific group people.foo in an ACL doesn't do much. Since you can just 'pts add people.foo adeason:foo', and then put adeason:foo in the ACL. Unless we also change the permissions of supergroup creation or something, there's not really a way around that. So we have some different mechanisms for 'normal' groups, but those are outlined in that big "3 methods" email. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
