[gpfsug-discuss] NF4 ACLs (Joshua Taylor)
Alec
anacreo at gmail.com
Tue Sep 6 23:03:35 BST 2022
Anh,
I was going to call that one out. But there also isn't a reason you
couldn't make your own setuid chown wrapper with some logic in it to
examine the chown ACL and decide if it will allow the user to give
ownership of the file away or not.
You could say have it see if users are in the same primary group of the
file, and ACL provides chown to allow assignment to someone else in the
same primary group.. perhaps. Wouldn't be too hard to write up that
wrapper.
Alec
On Tue, Sep 6, 2022, 2:52 PM Anh Dao <adao at ibm.com> wrote:
> Regarding the behavior with CHOWN in Spectrum Scale, to avoid quota abuse
> and security exposures, we have restricted that file owners can only chown
> only to themselves or to a group that they are a member of. This has been
> noted since Scale 4.2.0:
>
> https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls
>
> “NFS V4 allows ACL entries that grant users (or groups) permission to
> change the owner or owning group of the file (for example, with the chown
> command). For security reasons, GPFS now restricts this so that
> non-privileged users may only chown such a file to themselves (becoming the
> owner) or to a group that they are a member of.”
>
> Regards,
> Anh Dao
> IBM Spectrum Scale
> Software Developer
> adao at ibm.com
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220906/39cc68da/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list