On Wed, 11 Nov 2009 14:42:53 -0500 Derrick Brashear <sha...@gmail.com> wrote:
> >> You can't. If we allow you to specify the 'anonymous' user, you > >> could assign negative idwka rights to 'anonymous' on the > >> volume-level ACL to prevent system:anyuser write access. But there > >> is no way to prevent access for system:authuser. > >> > >> Note: giving a negative ACL on, say, system:anyuser would prevent > >> _any_ user from getting rights; that's not what we'd want. > > > > Since system:anyuser represents all users, it seems to me we could > > introduce a way to indicate anonymous users. Perhaps with a new > > system group, system:anonusers which represents users that are > > not authenticed? While this could be helpful, this don't solve the problem for the various system:authuser groups or host groups. > > At that point we would specify a volume level negative right, > > > > Negative rights: > > system:anonusers idwka > > Why do you need a group, as opposed to simply mapping 32766 to a name? We already have a name, too: anonymous. Why can't we specify that in normal ACLs now, anyway? Does it just have to do with how the ptserver returns errors? -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
