Subject: Re: ACL
To: Lord Isildur <mrfusion@umbar.vaxpower.org>
From: Bill Studenmund <wrstuden@zembu.com>
List: tech-kern
Date: 04/09/2001 16:48:34
On Mon, 9 Apr 2001, Lord Isildur wrote:

> There is a lot of documentation for AFS. Perhaps transarc/ibm doesnt have it
> on their site, but the printed docs are very comprehensive, if you happen
> to be at a site that was a transarc customer when AFS was commercial. 
> Personally, for ACLs, i find the AFS model to be a nice compromise. 
> ACLs are for directories only, but there is a very nice groups mechanism
> for making things as flexible as you could ever need. Some people have 
> hinted that they want per-file ACLs, but directory ACLs are a lot less
> overhead and you get quite a decent degree of control. some of the mode
> bits on a directory in AFS frob some of the (effective) UNIX mode bits for 
> the files in the directory, otherwise the UNIX mode bits dictate access 
> as usual. AFS has the concept of both positive and negative rights, so that
> one can either explicitly grant or explicitly revike rights, too. it makes
> something liek suspending someone's account very easy.
> Actually, once upon a time, AFS was hacked into NetBSD by somebody. If
> any of this code still exists, it would provide an example of making the ACLs
> work , too. i think this was circa NetBSD 1.2 or so. 

I agree that AFS ACLs would be a good intermediate step. The one problem
with the code you mention is that it's encombered by the Transarc
restrictive license. :-( So while it could provide some info, it could
also taint the effort to add ACL support.

Take care,

Bill