[OpenAFS] Implicit privilege to do "fs setacl" in a directory
Derrick J Brashear
shadow@dementia.org
Tue, 23 Jan 2007 11:52:43 -0500 (EST)
On Tue, 23 Jan 2007, Frederic Gilbert wrote:
> Hi,
>
> From our AFS experience since Transarc, and from the documentation,
> we believed that, to apply "fs setacl" on a directory:
> Issuer must have ADMINISTER rights to the directory; the
> directory's owner and members of system:administrators
> always do.
>
> Recently, with 1.4.1 servers and 1.4.2 clients, one of our users has not
> been able to do a "fs sa" on a directory, while he was the directory's
> owner, but was not in the ACL table. Further tests confirmed that being
> the directory's owner does not give (any more?) the "fs sa" privilege on
> the directory.
>
> On the other hand, we found out that one can apply "fs sa" on a
> directory, even if he is not in the ACL table, and even if he is not the
> directory's owner, but if he is the owner of the mounting point of the
> volume where the directory resides.
The latter behavior was always true. the change to the former is new in
1.4, i don't remember the rationale but it was discussed on the list.