[OpenAFS-devel] Implied administrative rights
Derek Atkins
warlord@MIT.EDU
Tue, 7 Feb 2006 10:05:11 -0500
Directory owner does not have implicit rights.. But the "owner" of the
VOLUME's root directory does have implicit rights on the whole volume.
-derek
Quoting Steve Brown <sbrown7@umbc.edu>:
> Hi All,
> One of our more clueful users here pointed out that there seems to
> be an error in the AFS documentation about whether or not the UNIX owner
> of a directory really has implied administrative rights. The comment
> about this appears in the fs setacl docs:
>
> Privilege Required
>
> The issuer must have the a (administer) permission on the directory's ACL;
> the directory's owner and the members of the system:administrators group
> have the right implicitly, even if it does not appear on the ACL.
>
> So I investigated:
>
> linux3[3]% mkdir test
> linux3[4]% fs la test
> Access list for test is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rl
> sbrown7 rlidwka
> linux3[5]% ls -al test
> total 4
> drwx------ 2 sbrown7 rpc 2048 Feb 7 09:44 .
> drwxr-xr-x 6 sbrown7 games 2048 Jan 17 13:15 ..
> linux3[6]% fs sa test sbrown7 none
> linux3[7]% fs la test
> Access list for test is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rl
> linux3[8]% fs sa test sbrown7 all
> fs: You don't have the required access rights on 'test'
>
> Yep. Not sure if this is an intended change that didn't get
> documented, or if it is something that crept in a while back.
>
> Most (all?) of the servers are running 1.4.0, and this client is
> 1.3.85.
>
> Steve Brown
> sbrown7@umbc.edu
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available