[OpenAFS-devel] Implied administrative rights
Steve Brown
sbrown7@umbc.edu
Tue, 7 Feb 2006 10:00:09 -0500 (EST)
Hi All,
One of our more clueful users here pointed out that there seems to
be an error in the AFS documentation about whether or not the UNIX owner
of a directory really has implied administrative rights. The comment
about this appears in the fs setacl docs:
Privilege Required
The issuer must have the a (administer) permission on the directory's ACL;
the directory's owner and the members of the system:administrators group
have the right implicitly, even if it does not appear on the ACL.
So I investigated:
linux3[3]% mkdir test
linux3[4]% fs la test
Access list for test is
Normal rights:
system:administrators rlidwka
system:anyuser rl
sbrown7 rlidwka
linux3[5]% ls -al test
total 4
drwx------ 2 sbrown7 rpc 2048 Feb 7 09:44 .
drwxr-xr-x 6 sbrown7 games 2048 Jan 17 13:15 ..
linux3[6]% fs sa test sbrown7 none
linux3[7]% fs la test
Access list for test is
Normal rights:
system:administrators rlidwka
system:anyuser rl
linux3[8]% fs sa test sbrown7 all
fs: You don't have the required access rights on 'test'
Yep. Not sure if this is an intended change that didn't get
documented, or if it is something that crept in a while back.
Most (all?) of the servers are running 1.4.0, and this client is
1.3.85.
Steve Brown
sbrown7@umbc.edu