<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">Is there a way to designate a group that Scale would treat membership in as privileged? Like the “system” group in AIX.<br><br>That would push the privilege escalation back into Scale, rather than depending on scripts. It might be even better to lean on RBAC for AIX and SELinux for Linux. Maybe a flag that means to request transitions or capabilities, and just punt verification to the OS?<div><br><div dir="ltr">-- <div>Stephen Ulmer</div><div><br></div><div>Sent from a mobile device; please excuse auto-correct silliness.</div></div><div dir="ltr"><br><blockquote type="cite">On Sep 6, 2022, at 5:29 PM, Alec <anacreo@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="auto">Anh,<div dir="auto"> I was going to call that one out. But there also isn't a reason you couldn't make your own setuid chown wrapper with some logic in it to examine the chown ACL and decide if it will allow the user to give ownership of the file away or not.</div><div dir="auto"><br></div><div dir="auto"> You could say have it see if users are in the same primary group of the file, and ACL provides chown to allow assignment to someone else in the same primary group.. perhaps. Wouldn't be too hard to write up that wrapper.</div><div dir="auto"><br></div><div dir="auto">Alec</div><div dir="auto"><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 6, 2022, 2:52 PM Anh Dao <<a href="mailto:adao@ibm.com">adao@ibm.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="m_-8803882483287016506WordSection1">
<p class="MsoNormal">Regarding the behavior with CHOWN in Spectrum Scale, to avoid quota abuse and security exposures, we have restricted that file owners can only chown only to themselves or to a group that they are a member of. This has been noted since Scale
4.2.0:<br>
<a href="https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls" target="_blank" rel="noreferrer">https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls</a><br>
<br>
“NFS V4 allows ACL entries that grant users (or groups) permission to change the owner or owning group of the file (for example, with the chown command). For security reasons, GPFS now restricts this so that non-privileged users may only chown such a file to
themselves (becoming the owner) or to a group that they are a member of.”<br>
<br>
Regards,<br>
Anh Dao<br>
IBM Spectrum Scale<br>
Software Developer<br>
<a href="mailto:adao@ibm.com" target="_blank" rel="noreferrer">adao@ibm.com</a><u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div>
_______________________________________________<br>
gpfsug-discuss mailing list<br>
gpfsug-discuss at <a href="http://gpfsug.org" rel="noreferrer noreferrer" target="_blank">gpfsug.org</a><br>
<a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org" rel="noreferrer noreferrer" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</a><br>
</blockquote></div>
<span>_______________________________________________</span><br><span>gpfsug-discuss mailing list</span><br><span>gpfsug-discuss at gpfsug.org</span><br><span>http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org</span><br></div></blockquote></div></body></html>