• Marc Dionne's avatar
    afs: Ignore AFS_ACE_READ and AFS_ACE_WRITE for directories · ba6b6882
    Marc Dionne authored
    The AFS_ACE_READ and AFS_ACE_WRITE permission bits should not
    be used to make access decisions for the directory itself.  They
    are meant to control access for the objects contained in that
    directory.
    
    Reading a directory is allowed if the AFS_ACE_LOOKUP bit is set.
    This would cause an incorrect access denied error for a directory
    with AFS_ACE_LOOKUP but not AFS_ACE_READ.
    
    The AFS_ACE_WRITE bit does not allow operations that modify the
    directory.  For a directory with AFS_ACE_WRITE but neither
    AFS_ACE_INSERT nor AFS_ACE_DELETE, this would result in trying
    operations that would ultimately be denied by the server.
    Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    ba6b6882
security.c 9.06 KB