On 3/20/2023 4:21 PM, Jeffrey E Altman ([email protected]) wrote:
Just this week a site privately discussed a desire to enforce readonly access to all machines in a particular subnet. Likewise, a site might want to enforce readonly access on all machines outside of approved subnets. This is simply not possible to do without altering the current behavior to enforce negative ACLs.Proposal:I propose that OpenAFS treat the current behavior as a bug. The use of negative rights is discouraged because they are hard to analyze. It is hoped that their use is rare. If negative rights are not in use, then changing the behavior when IP ACLs exist will not alter the computed outcome. However, if negative rights are in use, they are likely being used because it wasn't easy to limit the access any other way. In which case, granting more access then was specified is problematic. A CVE can be published to document the existing behavior and the behavior as it will appear beginning with a specific version of the fileserver.If required, a configuration option can be provided to enable the AFS 3.2 behavior until all of the fileservers within a cell have been updated. I discourage using a configuration option to enable the stricter interpretation of ACLs as that will result in some sites being vulnerable when they did not intend to be.
OpenAFS Gerrit 13926 https://gerrit.openafs.org/#/c/13926/ provides for an "afsd readonly" option to enforce readonly behavior but use of client side configuration cannot be enforced by the fileserver.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
