Hi Jeffrey thanks for replying. On Fri, May 9, 2014 at 3:40 PM, Jeffrey Altman <[email protected] > wrote:
> On 5/9/2014 6:22 AM, Pedro de Oliveira wrote: > > Hi, > > > > I want to announce a little app that I made at work that allows to apply > > OpenAFS ACLs recursively on Windows. Because the current way to apply > > acls on Windows is a bit difficult for normal users. > > I am concerned that this application can cause serious harm as currently > implemented. > > https://github.com/falsovsky/ACLAFS/blob/master/screenshot.png > > It does not show the end user the current list of permissions for all > groups and users included in the ACL. It does not provide a mechanism > to "clean" the ACL nor does it handle negative ACLs. All of which are > provided in the AFS Explorer Shell Extension provided with the OpenAFS > distribution. Select the object to be modified in the Explorer Shell, > right-click to display the context menu and select Properties. The "AFS > ACL" tab provides the user to ability to adjust the ACLs. > It only shows the permissions for the user/group typed in the "identifier". It allows to "clean" the ACL, just uncheck which ones you want to remove, or unselect all and it will use setacl none. > > In addition, the recursive behavior crosses volume boundaries because it > is unaware of mount points and symlinks. The side effect of this tool > is that it will add/modify the specified user/group to the ACL of every > object that can be reached as a subdirectory. It will not follow the > behavior of Windows that when applying recursive security permissions > that the permissions on the children object must match those set on the > parent. > Yes, that can happen, but in our case the users wont do any of those costumizations (more mount points, symlinks etc), only a mapped to the AFS "share", so thats no a problem for us ATM. We just needed a quick and easy way to apply ACLs recursively and I did this as a quick tool to help out users and my fellow sysadmins. I know its not perfect, but its usefull enough to do the stuff we need. So thats why I shared it, because it can help out more people. > > Many organizations today have experienced unintentional data exposures > or breaches due to incorrectly set ACLs in AFS. I believe this tool as > currently implemented will make such exposures more likely. > > Instead of deploying a new graphical tool to set ACLs I would prefer > that you modify the Explorer Shell extension to support cloning the > permission list defined by the user to child objects within the same > volume. That will be consistent with existing Windows behavior and will > be consistent with end user expectations that ACLs be set via the object > Properties. > > I would like to help out with that, but I dont believe I have enough knowledge about OpenAFS and Windows internals to make those changes. I can try it out if anyone is willing to mentor me. Regards, Pedro de Oliveira > Thank you. > > Jeffrey Altman > > > >
