On Wed, Jan 24, 2001 at 06:12:32PM -0500, Stephan Koledin wrote:
> Sorry for all the questions today, but I ran into a strange situation
> that I can't quite figure out.
> 
> Basically, I have a simple replicated volume for hosting information via 
> anonymous ftp. The coda permissions are as follows for the whole mounted
> volume:
> 
> [skoledin_at_monkeyboy ftp]$ cfs la /coda/pub/ftp
> System:Administrators  rlidwka 
>       System:AnyUser  rl      
...
> [skoledin_at_monkeyboy ftp]$ chmod -R a-r bin

The unix permissions are sometimes used correctly, but sometimes ignored.
In this case, the missing 'r' bit blocks the client from even fetching
the object. Also ACLs sometimes seem to work counter-intuitive. What you
are trying to achieve is to have 'r'ead permission without 'l'ookup
permission, which doesn't work either.

Maybe we should initially ignore the unix permissions completely as far
as Venus is concerned, and permit/deny object access purely on the
directory ACL. The kernel and VFS should probably handle the access
based on the unix mode-bits.

In a way it gets pretty hard to get it all correct, because we would
need to have a per-user view on filesystem contents, so that the unix
modebits can be different for each user depending on which ACL's are in
effect.

> Has anyone run into this particular situation before? I think I remember
> Jan saying that ftp://coda.cs.cmu.edu is hosted off a coda volume, and
> the permissions there seem to be proper (bin/* not viewable via ls), so
> I guess I must be doing something wrong, I just can't figure out what.

www.coda is served out of Coda. ftp.coda was done similarily only for a
while, but isn't right now. And yes the /bin directory was visible.

Jan