On Mon, 18 Jan 2010 06:03:20 +0000 Adam Megacz <a...@megacz.com> wrote:
> > Andrew Deason <adea...@sinenomine.net> writes: > >> If you are talking about my transitive ACLs proposal, then the new > >> foo/dir is still subject to the transitive acl on foo/. > > > > I said you put a transitive ACL on foo/dir. > > Then do what I said one more level up. Yes, so then it's not terribly useful, unless you always use it at the volume root. Hence, volume-level ACLs. > Here, let's be more concrete: > > fs sa /afs/@cell/web/ !system:authuser a -negative -transitive > > Normal users cannot "mv /afs/@cell/web/ /afs/@cell/web/". If they > can, you've got the ACLs on /afs/@cell/web/ set wrong. I would also hope you don't have your entire web tree (including user personal webspace) all contained in one volume... you need to mark the policy restrictions on the volumes mounted in the web tree anyway. -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-devel mailing list OpenAFS-devel@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-devel
