braam_at_cs.cmu.edu said:
| So you want a sticky bit on the directory.  Not a bad idea - this is
| also quite desirable for email spool directories etc.  This is one of
| the main problems of the AFS/Coda security model.  Where it tries to
| diverge from Unix it runs into trouble in system directories like
| "mail", "/tmp" etc. where sticky bits are used.  But it is pretty easy
| to change Coda a little bit and perfectly acceptable, to accomodate
| this.

For the mail case, deliver mail to the user's home directory (or have a 
special per user `mail-volume' mounted).

For the /tmp case:

Have a `sticky' ACL flag to allow users to create and delete directories,
without inheriting ACLs from the parent directory.

something like:
$ cfs la /coda/tmp
System:Administrators all
System:AnyUser idlS

$ mkdir /coda/tmp/jan_test
$ cfs la /coda/tmp/jan_test
jaharkes all

Now if anything is put in the directory, other people definitely cannot
remove the directory. Wasn't there also something with security problems
related to a hacker placing a symlink in the /tmp directory so that 
programs creating temp files would either destroy, or remove some vital 
information (like /etc/passwd). And that most solutions against such an
attack actually first create a `secured' directory in /tmp, and put the
temporary files in there.

Jan