thr3ads.net - zfs discuss - [zfs-discuss] ? NFSv4 and ZFS: removing write_owner attribute does not stop a user changing file group ownership [Jan 2010]

If this information is useful, please help other people find it:
Share via:

Tim Thomas

2010-Jan-31 16:29 UTC

[zfs-discuss] ? NFSv4 and ZFS: removing write_owner attribute does not stop a user changing file group ownership

Hi

I am accessing files in a  ZFS file system via NFSv4.

I am not logged in a root.

File permissions look as expected when I inspect them with ls -v and ls -V

I only have owner and group ACLs...nothing for everyone.

bash-3.00$ id
uid=100(timt) gid=10001(ccbcadmins)
bash-3.00$ groups
ccbcadmins staff
bash-3.00$ ls -v testacl
-rwxrwx---+  1 timt     ccbcadmins       0 Jan 31 16:24 testacl
      
0:owner@:read_data/write_data/append_data/read_xattr/write_xattr/execute
          /delete_child/read_attributes/write_attributes/delete/read_acl
          /write_acl/write_owner/synchronize:allow
      
1:group@:read_data/write_data/append_data/read_xattr/write_xattr/execute
          /delete_child/read_attributes/write_attributes/delete/read_acl
          /write_acl/write_owner/synchronize:allow

I can change the group ownership of a file to any group I am a member 
off, but not to groups I am not a member of - this is as expected.

My question is how do I make it so that I CANNOT change group ownership 
of files that I own

I have changed the ACLs on the file so that owner and group do not have 
write_owner permissions but I can still change the group ownership as 
before. I have tried removing write_owner from allow permissions and 
adding a deny ACL which denies write_owner permissions.

bash-3.00$ ls -v testacl
-rwxrwx---+  1 timt     ccbcadmins       0 Jan 31 16:23 testacl
      0:user:timt:write_owner:deny
      1:group@:write_owner:deny
      2:owner@:write_owner:deny
      
3:owner@:read_data/write_data/append_data/read_xattr/write_xattr/execute
          /delete_child/read_attributes/write_attributes/delete/read_acl
          /write_acl/synchronize:allow
      
4:group@:read_data/write_data/append_data/read_xattr/write_xattr/execute
          /delete_child/read_attributes/write_attributes/delete/read_acl
          /write_acl/synchronize:allow

but this makes no difference...I can still change the group ownership.

Clearly I am doing something wrong..or have incorrect expectations.

Anyone got any ideas on this ?

Thanks

Tim
-- 

*Tim Thomas
Open Storage Technical Specialist
Sun Microsystems UK *

Mobile: +44 (0)7802-212209
DDI: +44 (0)161 905-8097
Email: Tim.Thomas at Sun.COM



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20100131/e4593f12/attachment.html>

Maybe Matching Threads

Search for more reasonably related threads

zfs discuss - Jan 2010 - ? NFSv4 and ZFS: removing write_owner attribute does not stop a user changing file group ownership

[zfs-discuss] ? NFSv4 and ZFS: removing write_owner attribute does not stop a user changing file group ownership

Maybe Matching Threads

Wisdom of the Ancients