[OpenAFS] Implicit privilege to do "fs setacl" in a directory

Frederic Gilbert Frederic.Gilbert@inria.fr
Tue, 23 Jan 2007 17:49:05 +0100


 From our AFS experience since Transarc, and from the documentation,
we believed that, to apply "fs setacl" on a directory:
    Issuer must have ADMINISTER rights  to  the  directory;  the
    directory's   owner  and  members  of  system:administrators
    always do.

Recently, with 1.4.1 servers and 1.4.2 clients, one of our users has not
been able to do a "fs sa" on a directory, while he was the directory's
owner, but was not in the ACL table. Further tests confirmed that being
the directory's owner does not give (any more?) the "fs sa" privilege on
the directory.

On the other hand, we found out that one can apply "fs sa" on a
directory, even if he is not in the ACL table, and even if he is not the
directory's owner, but if he is the owner of the mounting point of the
volume where the directory resides.

Is it a feature change that we have missed?

Best regards,
Frederic Gilbert.