jimzah/openafs
1
0
Fork 0
mirror of https://git.openafs.org/openafs.git synced 2025-01-18 15:00:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

doc: Mention negative host ACL behavior

Browse Source 
Permissions granted by host-based ACLs and non-host-based ACLs are
calculated separately (and transmitted somewhat differently, via
AnonymousAccess). So, if a caller is granted permissions via normal
user-based access, those permissions cannot be removed by host-based
entries in a negative ACL. And conversely, permissions granted by
host-based entries cannot be removed by negative ACLs for
non-host-based entries.

Both negative ACLs and host-based ACLs are uncommon and recommended
against, so this should not be a common combination. But this
limitation is not documented anywhere, so try to mention it in the
fs_setacl manpage, near some other text related to negative ACLs, to
give affected users a chance to figure out why it isn't working.

Change-Id: I13ba2adda1474a5e72271d3e843bb03feec29b67
Reviewed-on: https://gerrit.openafs.org/15340
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
This commit is contained in:
Andrew Deason 2023-03-07 20:44:30 -06:00 committed by Michael Meffie
parent 4731c80609
commit 26f1504915
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
doc/man-pages/pod1/fs_setacl.pod
View File

@ -56,6 +56,15 @@ note that it is futile to deny permissions that are granted to members of
the system:anyuser group on the same ACL; the user needs only to issue the
B<unlog> command to receive the denied permissions.
Combining C<Negative rights> granted from machine entries (IP addresses) and
C<Normal rights> granted from non-machine entries (or vice versa) will
generally not work as expected. Permissions granted by machine entries and by
non-machine entries are calculated separately, and both sets of permissions are
given to an accessing user. For example, if permissions are granted to an
authenticated user or group (or C<system:anyuser>), you cannot remove those
permissions from specific hosts by adding machine entries to a group in an ACL
in the C<Negative rights> section.
When including the B<-clear> option, be sure to reinstate an entry for
each directory's owner that includes at least the C<l> (lookup)
permission. Without that permission, it is impossible to resolve the "dot"