On Wed, Aug 06, 2014 at 04:43:31PM -0400, Jan Harkes wrote:
> When a client caches even a single object (the root) of a volume, it is
> notified when any file in that volume changes and it has to download a
> list of all file identifiers that were changed, whether or not the
> client is even allowed to access those files.

Oh, right I forgot to say that this is a potential security issue
because of the following scenario.

I have a volume with a default System:AnyUser rl ACL and I create a Mail
subdirectory and set up the maildir folders Mail/{cur,new,tmp} Then I
realize that I don't want the world to read my email so I remove the
AnyUser ACL from Mail/.

With normal callbacks nobody can get past Mail/ and so nobody will 
be able to see the vnode/uniquefier parts of the file ids and as such be
unable to read my email.

With a callback log everyone who can access even a single object in the
volume gets the file ids for my email and because the cur/new/tmp
directories still give System:Anyuser access they have access it.

So yes the original breakdown is the fact that the subdirectories didn't
have appropriate ACLs, but it is not expected behaviour that someone can
get past that protected parent directory so easily.

Jan