[gpfsug-discuss] NF4 ACLs (Joshua Taylor)
Stephen Ulmer
ulmer at ulmer.org
Wed Sep 7 01:22:19 BST 2022
Is there a way to designate a group that Scale would treat membership in as privileged? Like the “system” group in AIX.
That would push the privilege escalation back into Scale, rather than depending on scripts. It might be even better to lean on RBAC for AIX and SELinux for Linux. Maybe a flag that means to request transitions or capabilities, and just punt verification to the OS?
--
Stephen Ulmer
Sent from a mobile device; please excuse auto-correct silliness.
> On Sep 6, 2022, at 5:29 PM, Alec <anacreo at gmail.com> wrote:
>
>
> Anh,
> I was going to call that one out. But there also isn't a reason you couldn't make your own setuid chown wrapper with some logic in it to examine the chown ACL and decide if it will allow the user to give ownership of the file away or not.
>
> You could say have it see if users are in the same primary group of the file, and ACL provides chown to allow assignment to someone else in the same primary group.. perhaps. Wouldn't be too hard to write up that wrapper.
>
> Alec
>
>
>> On Tue, Sep 6, 2022, 2:52 PM Anh Dao <adao at ibm.com> wrote:
>> Regarding the behavior with CHOWN in Spectrum Scale, to avoid quota abuse and security exposures, we have restricted that file owners can only chown only to themselves or to a group that they are a member of. This has been noted since Scale 4.2.0:
>> https://www.ibm.com/docs/en/spectrum-scale/4.2.0?topic=applications-gpfs-exceptions-limitations-nfs-v4-acls
>>
>> “NFS V4 allows ACL entries that grant users (or groups) permission to change the owner or owning group of the file (for example, with the chown command). For security reasons, GPFS now restricts this so that non-privileged users may only chown such a file to themselves (becoming the owner) or to a group that they are a member of.”
>>
>> Regards,
>> Anh Dao
>> IBM Spectrum Scale
>> Software Developer
>> adao at ibm.com
>>
>>
>>
>> _______________________________________________
>> gpfsug-discuss mailing list
>> gpfsug-discuss at gpfsug.org
>> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220906/dc561a0d/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list