Versions Compared

Old Version 3

changes.mady.by.user John Bartelt

Saved on

compared with

New Version Current

changes.mady.by.user Lance Nakata

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

	fs listacl ~vanilla
	Access list for /u/sf/vanilla is
	Normal rights:
	  system:slac rl
	  system:administrators rlidwka
	  system:authuser rl
	  vanilla rlidwka

The problematic entries are system:slac which means any machine in the SLAC ip address ranges and system:authuser which means any one in the world with a SLAC AFS token. While rl only allows reading and listing, there are many applications that assume a different file security model than the per directory one that AFS supplies. This causes problems when the application assumes that setting a file with unix permissions of -rw------- for user read/write only makes it reasonably secure, when in fact it may be readable by many other users.

...

batten has two different modes of use, do the minimum possible and do the most possible. In the minimum mode only directories that start with a dot have their ACL's modified. In maximum mode all directories, including the user's home directory get more restricted ACL's. batten in maximum mode also moves the user's .k5login, .forward and .procmailrc into a system:slac readable directory and makes symlinks to allow ssh login and email forwarding to continue working.

Using batten

As of 2/16/2022, /usr/local/bin/batten is still available on rhel6-64.slac.stanford.edu.  By default, batten it does nothing put print out a list of the commands it would run. Once it prints out a list you are happy with, you use the -g option to actually execute those commands. For example:


rhel6-64> /usr/local/bin/batten 

#!/bin/sh
# batten is running in test mode.
# This output can be edited and feed to /bin/sh
cd /u/v/vanilla
mkdir .system
/usr/afsws/bin/fs setacl -dir .system -acl system:anyuser none system:authuser none system:slac rl
/usr/afsws/bin/fs setacl -dir .openmpi -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .mozilla -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .dotfiles -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .hepix-scs -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .metacity -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .gnome-desktop -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .gnome -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .eggcups -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir .environ-scs -acl system:anyuser none system:authuser none system:slac none 
/usr/afsws/bin/fs setacl -dir private -acl system:anyuser none system:authuser none system:slac none

...

[This page copied from an old web page created by Booker Bense.  Copied 2020 March 31.]