[gpfsug-discuss] NF4 ACLs (Joshua Taylor)
Anh Dao
adao at ibm.com
Wed Sep 7 21:44:33 BST 2022
In-Reply-To: CAGhSTwiMcszfSE0JmqAmooLE9yBGbd_v1tHsJAWuan1Rk4CRAA at mail.gmail.com<mailto:CAGhSTwiMcszfSE0JmqAmooLE9yBGbd_v1tHsJAWuan1Rk4CRAA at mail.gmail.com>
In Linux, chown has the following note:
man 2 chown
“Only a privileged process (Linux: one with the CAP_CHOWN capability) may change the owner of a file.
The owner of a file may change the group of the file to any group of which that owner is a member.
A privileged process (Linux: with CAP_CHOWN) may change the group arbitrarily.”
Scale now adds NFSv4 ACLs, and the CHOWN permission is basically an additional restriction on top of what Linux does. Since Scale is only invoked after Linux has perform its checks (chown_ok https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/attr.c?h=v5.19.7), it cannot overcome the restrictions in place in the Linux VFS.
Regarding the wrapper mentioned, the admin (root) is certainly able to implement such setuid wrapper, but they should be very careful on the security aspects of doing so. This seems risky for Scale to implement such program.
Regards,
Anh Dao
IBM Spectrum Scale
Software Developer
adao at ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220907/ef010606/attachment-0002.htm>
More information about the gpfsug-discuss
mailing list