On 5/9/2014 6:22 AM, Pedro de Oliveira wrote: > Hi, > > I want to announce a little app that I made at work that allows to apply > OpenAFS ACLs recursively on Windows. Because the current way to apply > acls on Windows is a bit difficult for normal users.
I am concerned that this application can cause serious harm as currently implemented. https://github.com/falsovsky/ACLAFS/blob/master/screenshot.png It does not show the end user the current list of permissions for all groups and users included in the ACL. It does not provide a mechanism to "clean" the ACL nor does it handle negative ACLs. All of which are provided in the AFS Explorer Shell Extension provided with the OpenAFS distribution. Select the object to be modified in the Explorer Shell, right-click to display the context menu and select Properties. The "AFS ACL" tab provides the user to ability to adjust the ACLs. In addition, the recursive behavior crosses volume boundaries because it is unaware of mount points and symlinks. The side effect of this tool is that it will add/modify the specified user/group to the ACL of every object that can be reached as a subdirectory. It will not follow the behavior of Windows that when applying recursive security permissions that the permissions on the children object must match those set on the parent. Many organizations today have experienced unintentional data exposures or breaches due to incorrectly set ACLs in AFS. I believe this tool as currently implemented will make such exposures more likely. Instead of deploying a new graphical tool to set ACLs I would prefer that you modify the Explorer Shell extension to support cloning the permission list defined by the user to child objects within the same volume. That will be consistent with existing Windows behavior and will be consistent with end user expectations that ACLs be set via the object Properties. Thank you. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
