[OpenAFS-devel] posix chown again

Jeffrey Hutzelman jhutz@cmu.edu
Wed, 29 Oct 2008 15:54:35 -0400 

--On Monday, October 27, 2008 06:20:44 PM -0400 Michael Meffie 
<mmeffie@sinenomine.net> wrote:

> wollman@khavrinen.csail.mit.edu wrote:
>> <<On Mon, 20 Oct 2008 09:51:15 -0400, Michael Meffie
>> <mmeffie@sinenomine.net> said:
>>
>>> I have been looking at Derrick's patch from last spring
>>> to implement POSIX style chown, with the hope it can be
>>> included in OpenAFS 1.5. Since there are security implications
>>> to this change, I am posting it here for further review
>>> and comment.
>>
>>> The idea is to allow regular users to disown files when the
>>> C acl bit is set.
>>
>> What does POSIX have to do with this?  POSIX does not require that
>> users have the ability to give away files.  (In fact, a "strictly
>> conforming" POSIX implementation shall not allow this.)
>
> I think the name posix chown came from the fact that posix requires
> the suid and sgid bits be cleared when the user disowns a file. Which
> is an important security consideration.

POSIX has this requirement, when users are allowed to disown files.  But 
then, System V UNIX has always had that behavior.  And as noted, POSIX does 
not require System V chown behavior; it permits and even encourages BSD 
behavior, in which users cannot give away files (in BSD UNIX, allowing 
users to give away files would allow them to subvert the quota system).


>> Does the patch include changes to allow pathconf(_PC_CHOWN_RESTRICTED,
>> "/afs/...") to return the correct value?

No, and in fact, I'm not sure we can.  Doing this at all would require 
giving AFS clients a means of discovering this, which they presently do not 
have.  Since there is no standardized ACL bit for this, clients cannot 
discover the correct answer by examining the ACL, because ACL extension 
bits must be interpreted in the context of the server containing the ACL. 
But it gets worse...  in AFS, whether a chown is permitted depends on the 
client's authenticated identity.  With this patch, chown is permitted to 
AFS administrators and for users who have the 'C' bit (or whichever is 
used); without it, it is permitted only to AFS administrators.  It's not 
clear to me that pathconf(_PC_CHOWN_RESTRICTED) is expected to return a 
value which depends on the caller; rather, I believe it is intended to 
return a static value depending only on the path, with the implication that 
even when present, the restriction does not apply to administrators.

-- Jeff