(Illustration by Gaich Muramatsu)
On Wed, Aug 06, 2014 at 04:43:31PM -0400, Jan Harkes wrote: > When a client caches even a single object (the root) of a volume, it is > notified when any file in that volume changes and it has to download a > list of all file identifiers that were changed, whether or not the > client is even allowed to access those files. Oh, right I forgot to say that this is a potential security issue because of the following scenario. I have a volume with a default System:AnyUser rl ACL and I create a Mail subdirectory and set up the maildir folders Mail/{cur,new,tmp} Then I realize that I don't want the world to read my email so I remove the AnyUser ACL from Mail/. With normal callbacks nobody can get past Mail/ and so nobody will be able to see the vnode/uniquefier parts of the file ids and as such be unable to read my email. With a callback log everyone who can access even a single object in the volume gets the file ids for my email and because the cur/new/tmp directories still give System:Anyuser access they have access it. So yes the original breakdown is the fact that the subdirectories didn't have appropriate ACLs, but it is not expected behaviour that someone can get past that protected parent directory so easily. JanReceived on 2014-08-06 17:20:30