On Wed, May 30, 2001 at 03:19:05PM -0500, Kelly Corbin wrote:
> If I create a directory (in a volume that all coda users have 'rlidwka' 
> access) as one coda user and chmod it to 700, how come I can access that 
> directory as another coda user?  Or, how come I can delete/edit a file 
> that another coda user created and chmod'ed to 700? I shouldn't have to 
> 'cfs sa' for every single directory should I?  And what about individual 
> permissions?  Chmod doesn't seem to work at all.
> 
> It seems to me (and please correct me because I want to be wrong ;) ) 
> that as long any regular system user has tokens as any coda user with 
> 'rlidwka' permissions to a given volume, the permissions for everything 
> created in that volume is basically 777.

Coda ignores the unix mode bits for acces control and relies on the
permissions granted by the directory ACL. Newly created directories
inherit the ACL from their parent.

So, yes, you need to remove the rlidwka access permissions for 'all Coda
users' (I guess this is some group), and use 'cfs sa user-dir user
rlidwka' to allow specific users access to specific directories. 'All
Coda users (System:AnyUser?) could be given only 'rl' rights, which
allows them to list directories and read files, or no rights at all.

> What am I missing about permissions here?  Does it *have* to be 'one 
> volume per user' in order to maintain access integrity?

No, ACL's are on a directory basis, so that would be 'one directory
(tree) per user'.

Jan