Apple Bug Report Friday: Xsan and AFP fun

I’ve been a bit lazy and not posted a bug here for a couple of weeks. What I have been doing however is quite a bit with Xsan and finding a few bugs to go with it. Here’s one found a couple of days ago.

Summary

AFP shares from Xsan volumes do not correctly honour directory permissions for a user’s secondary groups. Directories that the user should be able to list because one of their secondary groups allow them read/execute permission to the directory can not be seen over AFP when shared from Xsan.

Description

Essentially what is happening here is that if I have a user with the following UID, GID and groups:
uid=501(admin) gid=20(staff) groups=20(staff), 80(admin)
The user can not view the contents of a folder shared from an Xsan volume if they reason they should be able to see it, according to the POSIX permissions, is that one of their groups (but not their primary group) allows them to. So in this case, if a directory had the following permissions:
drwxr-x--- 7 admin admin 238 Sep 17 10:00 test
the user wouldn’t be able to list the directory over AFP if the directory is on an Xsan volume.

This problem does not effect files: if the user has permission to read a file through their secondary groups they can do it without difficulty.

Bug Report

This has been tested on Mac OS X 10.4.2 Server and Xsan 1.1 with a Mac OS X 10.4.2 client. I’ve filed a bug with detailed steps for reproduction as Radar ID 4259969.


Posted

in

by

Tags: