[OpenAFS] Implicit privilege to do "fs setacl" in a directory

Derrick J Brashear shadow@dementia.org
Tue, 23 Jan 2007 11:52:43 -0500 (EST)

On Tue, 23 Jan 2007, Frederic Gilbert wrote:

> Hi,
> From our AFS experience since Transarc, and from the documentation,
> we believed that, to apply "fs setacl" on a directory:
>   Issuer must have ADMINISTER rights  to  the  directory;  the
>   directory's   owner  and  members  of  system:administrators
>   always do.
> Recently, with 1.4.1 servers and 1.4.2 clients, one of our users has not
> been able to do a "fs sa" on a directory, while he was the directory's
> owner, but was not in the ACL table. Further tests confirmed that being
> the directory's owner does not give (any more?) the "fs sa" privilege on
> the directory.
> On the other hand, we found out that one can apply "fs sa" on a
> directory, even if he is not in the ACL table, and even if he is not the
> directory's owner, but if he is the owner of the mounting point of the
> volume where the directory resides.

The latter behavior was always true. the change to the former is new in 
1.4, i don't remember the rationale but it was discussed on the list.