[OpenAFS] Implicit privilege to do "fs setacl" in a directory

Russ Allbery rra@stanford.edu
Mon, 29 Jan 2007 10:51:15 -0800 

Derrick J Brashear <shadow@dementia.org> writes:
> On Tue, 23 Jan 2007, Frederic Gilbert wrote:

>> From our AFS experience since Transarc, and from the documentation,
>> we believed that, to apply "fs setacl" on a directory:
>>   Issuer must have ADMINISTER rights  to  the  directory;  the
>>   directory's   owner  and  members  of  system:administrators
>>   always do.
>> 
>> Recently, with 1.4.1 servers and 1.4.2 clients, one of our users has
>> not been able to do a "fs sa" on a directory, while he was the
>> directory's owner, but was not in the ACL table. Further tests
>> confirmed that being the directory's owner does not give (any more?) 
>> the "fs sa" privilege on the directory.
>> 
>> On the other hand, we found out that one can apply "fs sa" on a
>> directory, even if he is not in the ACL table, and even if he is not
>> the directory's owner, but if he is the owner of the mounting point of
>> the volume where the directory resides.

> The latter behavior was always true. the change to the former is new in
> 1.4, i don't remember the rationale but it was discussed on the list.

There was a long-standing patch applied by either MIT or CMU, I forget
which (and each time I say, I get it wrong) to get the above behavior that
was eventually applied to the main tree.  The rationale was that the
primary use of this feature was to allow users to restore their own ACLs
after they did something stupid in their home directory, and for that
ownership of the top-level directory of the volume was all that was
needed.  Having ownership of individual directories matter meant that any
directory in which someone had i permissions allowed them to create
subdirectories on which they had full rights, which was a problem for
class homework submission scripts and the like and seemed like a bad
security model.

I think most of the discussion was in person at the first AFS and Kerberos
Best Practices Workshop at SLAC.

I'll get the man page updated.  I forgot about that.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>