<div dir="auto">Anh,<div dir="auto"> I was going to call that one out. But there also isn't a reason you couldn't make your own setuid chown wrapper with some logic in it to examine the chown ACL and decide if it will allow the user to give ownership of the file away or not.</div><div dir="auto"><br></div><div dir="auto"> You could say have it see if users are in the same primary group of the file, and ACL provides chown to allow assignment to someone else in the same primary group.. perhaps. Wouldn't be too hard to write up that wrapper.</div><div dir="auto"><br></div><div dir="auto">Alec</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 6, 2022, 2:52 PM Anh Dao <<a href="mailto:adao@ibm.com">adao@ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="m_-8803882483287016506WordSection1">
<p class="MsoNormal">Regarding the behavior with CHOWN in Spectrum Scale, to avoid quota abuse and security exposures, we have restricted that file owners can only chown only to themselves or to a group that they are a member of. This has been noted since Scale
4.2.0:<br>
<a href="https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls" target="_blank" rel="noreferrer">https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls</a><br>
<br>
“NFS V4 allows ACL entries that grant users (or groups) permission to change the owner or owning group of the file (for example, with the chown command). For security reasons, GPFS now restricts this so that non-privileged users may only chown such a file to
themselves (becoming the owner) or to a group that they are a member of.”<br>
<br>
Regards,<br>
Anh Dao<br>
IBM Spectrum Scale<br>
Software Developer<br>
<a href="mailto:adao@ibm.com" target="_blank" rel="noreferrer">adao@ibm.com</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>