[gpfsug-discuss] NF4 ACLs (Joshua Taylor)

Weil, Matthew mweil at wustl.edu
Thu Sep 8 18:00:13 BST 2022 

Hello all,
Sort of on this topic has anyone have a transfer tool like rsync or mmxcp that transfers the NFSv4 ACL’s correctly?
Thanks
Matt

From: gpfsug-discuss <gpfsug-discuss-bounces at gpfsug.org> on behalf of Anh Dao <adao at ibm.com>
Date: Wednesday, September 7, 2022 at 3:48 PM
To: gpfsug-discuss at gpfsug.org <gpfsug-discuss at gpfsug.org>
Subject: Re: [gpfsug-discuss] NF4 ACLs (Joshua Taylor)
In-Reply-To: CAGhSTwiMcszfSE0JmqAmooLE9yBGbd_v1tHsJAWuan1Rk4CRAA at mail.gmail.com<mailto:CAGhSTwiMcszfSE0JmqAmooLE9yBGbd_v1tHsJAWuan1Rk4CRAA at mail.gmail.com>

In Linux, chown has the following note:
man 2 chown
“Only a privileged process (Linux: one with the CAP_CHOWN capability) may change the owner of a file.
  The owner of a file may change the group of the file to any group of which that owner is a member.
 A privileged process (Linux: with CAP_CHOWN) may change the group arbitrarily.”

Scale now adds NFSv4 ACLs, and the CHOWN permission is basically an additional restriction on top of what Linux does. Since Scale is only invoked after Linux has perform its checks (chown_ok https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/attr.c?h=v5.19.7<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Fstable%2Flinux.git%2Ftree%2Ffs%2Fattr.c%3Fh%3Dv5.19.7&data=05%7C01%7Cmweil%40wustl.edu%7Cb25ddd2794eb41a6f86708da911247d5%7C4ccca3b571cd4e6d974b4d9beb96c6d6%7C0%7C0%7C637981804950298764%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EIItawyb55fEtyeHgOR2Tk4x9Ooja4cCHJbqVFdDJzQ%3D&reserved=0>), it cannot overcome the restrictions in place in the Linux VFS.

Regarding the wrapper mentioned, the admin (root) is certainly able to implement such setuid wrapper, but they should be very careful on the security aspects of doing so. This seems risky for Scale to implement such program.

Regards,
Anh Dao
IBM Spectrum Scale
Software Developer
adao at ibm.com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20220908/9f6585f2/attachment-0002.htm>

More information about the gpfsug-discuss mailing list