From 26f1504915861d7b6e37e10e0ef0fa49fb596ce6 Mon Sep 17 00:00:00 2001 From: Andrew Deason Date: Tue, 7 Mar 2023 20:44:30 -0600 Subject: [PATCH] doc: Mention negative host ACL behavior Permissions granted by host-based ACLs and non-host-based ACLs are calculated separately (and transmitted somewhat differently, via AnonymousAccess). So, if a caller is granted permissions via normal user-based access, those permissions cannot be removed by host-based entries in a negative ACL. And conversely, permissions granted by host-based entries cannot be removed by negative ACLs for non-host-based entries. Both negative ACLs and host-based ACLs are uncommon and recommended against, so this should not be a common combination. But this limitation is not documented anywhere, so try to mention it in the fs_setacl manpage, near some other text related to negative ACLs, to give affected users a chance to figure out why it isn't working. Change-Id: I13ba2adda1474a5e72271d3e843bb03feec29b67 Reviewed-on: https://gerrit.openafs.org/15340 Tested-by: BuildBot Reviewed-by: Michael Meffie Reviewed-by: Benjamin Kaduk --- doc/man-pages/pod1/fs_setacl.pod | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/doc/man-pages/pod1/fs_setacl.pod b/doc/man-pages/pod1/fs_setacl.pod index 1e317f55c3..7b26eb92e3 100644 --- a/doc/man-pages/pod1/fs_setacl.pod +++ b/doc/man-pages/pod1/fs_setacl.pod @@ -56,6 +56,15 @@ note that it is futile to deny permissions that are granted to members of the system:anyuser group on the same ACL; the user needs only to issue the B command to receive the denied permissions. +Combining C granted from machine entries (IP addresses) and +C granted from non-machine entries (or vice versa) will +generally not work as expected. Permissions granted by machine entries and by +non-machine entries are calculated separately, and both sets of permissions are +given to an accessing user. For example, if permissions are granted to an +authenticated user or group (or C), you cannot remove those +permissions from specific hosts by adding machine entries to a group in an ACL +in the C section. + When including the B<-clear> option, be sure to reinstate an entry for each directory's owner that includes at least the C (lookup) permission. Without that permission, it is impossible to resolve the "dot"