Re: [OpenAFS] transitive "fs la"?
At 5:45 PM -0700 9/2/07, Adam Megacz wrote: A user's rights on a directory are effectively moot unless s/he has "l" permissions on every ancestor directory (up to the volume root). So you could say that the "transitive" acl of a directory is its acl minus permissions which cannot currently be exercised by virtue of the acls on its ancestors. I'm interested in a simple utility to print out this sort of effective acl. For bonus points, query the pts database and factor in group membership (for example, a group you belong to has "l" on parent and you personally have "l" on the directory itself). Has anybody written this already, or should I take a crack at it? I have a script written in ruby which does something kind-of along the lines of what you want. You can get the script at: http://people.freebsd.org/~gad/tools/pathls # This program is an alternative to `ls -ld'. For each pathname given # (i.e., "filename with a `/' in it"), this will show lstat-related # info for each segment in that path, followed by info on the original # pathname. You'd want to run it with the --minafs option. Here's a sample, looking at three pathnames: (43) pathls --minafs ~drosehn ~drosehn/public_html ~drosehn/private 1.01] l0777 -rl:NIL- root root 2001H16 /home -> /afs/rpi.edu/home .02] d0755 -rl:NIL- daemon user 2007H27 /home/37 .03] d0775 -l:NIL-drosehn user 2007H23 /home/37/drosehn 2.04] d0777 -NIL:NIL- drosehn user 2007H23 /home/37/drosehn/private 3.04] d0777 -rl:NIL- drosehn g:20 2007F02 /home/37/drosehn/public_html I wrote this because I'd hit an access error getting to some file deep in AFS directories, and I'd have to go through each section of the path to find out where the error was. That was complicated by the fact that we had a few symlinks at odd places, so you'd think you were in one part of AFS, and you'd suddenly bounce over to a very different part. I also wanted to produce as dense an output as possible, while still showing me all the info I might be interested in. Also, we had a problem at the time where we had some directories permitted to system:anyuser which really should not have been. The column with '-rl:NIL-' for the first entry is the column which shows up when you specify --minafs. It shows the access for system:anyuser and system:authuser, separated by a colon. Thus: "-rl:NIL-" means: system:anyuser has read+lookup access and system:authuser is "Not in List" (it has no specific access). Note that --minafs only shows the access granted to those two AFS groups. There is also a --listacl option, but that simply prints the output of 'fs listacl' for each path, and I didn't come up with any special formatting for it. There is no write-up for it, so you'd have to look at the source code to see what options it supports. And it's nothing more than "what I wanted at the time", which may not be what anyone else would want. I wrote it about two years ago, so my memory of it is rather foggy. Still, there are times when it has been very useful for me. -- Garance Alistair Drosehn= [EMAIL PROTECTED] Senior Systems Programmer or [EMAIL PROTECTED] Rensselaer Polytechnic Instituteor [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] transitive "fs la"?
I'm surprised at how many people mis-read Adam's message. He explicitly said the tool would walk the path only up to the volume root. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] transitive "fs la"?
Andrew Deason wrote: > On Mon, 03 Sep 2007 01:53:15 -0400 > "Todd M. Lewis" <[EMAIL PROTECTED]> wrote: > >> Go ahead, knock yourself out. Just keep in mind that the volume >> containing the directory you're interested in may be mounted in >> multiple places, and while the user may not have "l" rights all the >> way up the tree from one mountpoint, she might well have them from >> another. > > And remember anyone can create mountpoints anywhere they have access to > (including other cells if your cell is public). So, if you're using this > to verify the security of something, it's really only useful up to when > you hit a mount point. With dynroot and freelance you must assume that everyone has a mount point to every volume in every cell. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] transitive "fs la"?
On Mon, 03 Sep 2007 01:53:15 -0400 "Todd M. Lewis" <[EMAIL PROTECTED]> wrote: > Go ahead, knock yourself out. Just keep in mind that the volume > containing the directory you're interested in may be mounted in > multiple places, and while the user may not have "l" rights all the > way up the tree from one mountpoint, she might well have them from > another. And remember anyone can create mountpoints anywhere they have access to (including other cells if your cell is public). So, if you're using this to verify the security of something, it's really only useful up to when you hit a mount point. -- Andrew Deason [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] transitive "fs la"?
Todd M. Lewis wrote: Derrick J Brashear wrote: On Sun, 2 Sep 2007, Adam Megacz wrote: A user's rights on a directory are effectively moot unless s/he has "l" permissions on every ancestor directory (up to the volume root). So you could say that the "transitive" acl of a directory is its acl minus permissions which cannot currently be exercised by virtue of the acls on its ancestors. I'm interested in a simple utility to print out this sort of effective acl. For bonus points, query the pts database and factor in group membership (for example, a group you belong to has "l" on parent and you personally have "l" on the directory itself). Has anybody written this already, or should I take a crack at it? You can probably use "ws" as a basis. See ws.c in my homedir in the andrew cell. Go ahead, knock yourself out. Just keep in mind that the volume containing the directory you're interested in may be mounted in multiple places, and while the user may not have "l" rights all the way up the tree from one mountpoint, she might well have them from another. For this reason, you might want to include in your results two distinct reports: whether "l" is available from the given directory up to the root level of the containing volume, and a separate indication of whether the user has "l" rights up the tree in the given path to /afs. You might also want to make some decisions before you start writing code about how this would work when run by an admin (who could see all the ACLs) vs. a generic user (who may not). One more thing. The "generic user" running this utility may or may not be the subject of the query. For example, I may want to check whether I have "l" all the way up from a given spot. Alternatively I might occasionally want to grant Doug access to some directory, but I'd need to run your utility on that directory with Doug as the subject user rather than myself to see if he can in fact get to the data. So that's three scenarios: Admin testing a directory wrt an arbitrary subject user, Joe user testing a directory wrt himself, and Joe user testing a directory wrt some other user. Or a group. Ooooh, with groups, that's, like, six scenarios. Or multiple users and/or groups at once. Gee, I didn't realize how badly I need this utility. I'll stop now, or you may never get it written. :) -- [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] transitive "fs la"?
Derrick J Brashear wrote: On Sun, 2 Sep 2007, Adam Megacz wrote: A user's rights on a directory are effectively moot unless s/he has "l" permissions on every ancestor directory (up to the volume root). So you could say that the "transitive" acl of a directory is its acl minus permissions which cannot currently be exercised by virtue of the acls on its ancestors. I'm interested in a simple utility to print out this sort of effective acl. For bonus points, query the pts database and factor in group membership (for example, a group you belong to has "l" on parent and you personally have "l" on the directory itself). Has anybody written this already, or should I take a crack at it? You can probably use "ws" as a basis. See ws.c in my homedir in the andrew cell. Go ahead, knock yourself out. Just keep in mind that the volume containing the directory you're interested in may be mounted in multiple places, and while the user may not have "l" rights all the way up the tree from one mountpoint, she might well have them from another. For this reason, you might want to include in your results two distinct reports: whether "l" is available from the given directory up to the root level of the containing volume, and a separate indication of whether the user has "l" rights up the tree in the given path to /afs. You might also want to make some decisions before you start writing code about how this would work when run by an admin (who could see all the ACLs) vs. a generic user (who may not). -- [EMAIL PROTECTED] ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] transitive "fs la"?
On Sun, 2 Sep 2007, Adam Megacz wrote: A user's rights on a directory are effectively moot unless s/he has "l" permissions on every ancestor directory (up to the volume root). So you could say that the "transitive" acl of a directory is its acl minus permissions which cannot currently be exercised by virtue of the acls on its ancestors. I'm interested in a simple utility to print out this sort of effective acl. For bonus points, query the pts database and factor in group membership (for example, a group you belong to has "l" on parent and you personally have "l" on the directory itself). Has anybody written this already, or should I take a crack at it? You can probably use "ws" as a basis. See ws.c in my homedir in the andrew cell. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
[OpenAFS] transitive "fs la"?
A user's rights on a directory are effectively moot unless s/he has "l" permissions on every ancestor directory (up to the volume root). So you could say that the "transitive" acl of a directory is its acl minus permissions which cannot currently be exercised by virtue of the acls on its ancestors. I'm interested in a simple utility to print out this sort of effective acl. For bonus points, query the pts database and factor in group membership (for example, a group you belong to has "l" on parent and you personally have "l" on the directory itself). Has anybody written this already, or should I take a crack at it? - a -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info