Hello all, Sort of on this topic has anyone have a transfer tool like rsync or mmxcp that transfers the NFSv4 ACL’s correctly? Thanks Matt
From: gpfsug-discuss <[email protected]> on behalf of Anh Dao <[email protected]> Date: Wednesday, September 7, 2022 at 3:48 PM To: [email protected] <[email protected]> Subject: Re: [gpfsug-discuss] NF4 ACLs (Joshua Taylor) In-Reply-To: caghstwimcszfse0jmqamoole9ybgbd_v1thsjawuan1rk4c...@mail.gmail.com<mailto:caghstwimcszfse0jmqamoole9ybgbd_v1thsjawuan1rk4c...@mail.gmail.com> In Linux, chown has the following note: man 2 chown “Only a privileged process (Linux: one with the CAP_CHOWN capability) may change the owner of a file. The owner of a file may change the group of the file to any group of which that owner is a member. A privileged process (Linux: with CAP_CHOWN) may change the group arbitrarily.” Scale now adds NFSv4 ACLs, and the CHOWN permission is basically an additional restriction on top of what Linux does. Since Scale is only invoked after Linux has perform its checks (chown_ok https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/fs/attr.c?h=v5.19.7<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit.kernel.org%2Fpub%2Fscm%2Flinux%2Fkernel%2Fgit%2Fstable%2Flinux.git%2Ftree%2Ffs%2Fattr.c%3Fh%3Dv5.19.7&data=05%7C01%7Cmweil%40wustl.edu%7Cb25ddd2794eb41a6f86708da911247d5%7C4ccca3b571cd4e6d974b4d9beb96c6d6%7C0%7C0%7C637981804950298764%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=EIItawyb55fEtyeHgOR2Tk4x9Ooja4cCHJbqVFdDJzQ%3D&reserved=0>), it cannot overcome the restrictions in place in the Linux VFS. Regarding the wrapper mentioned, the admin (root) is certainly able to implement such setuid wrapper, but they should be very careful on the security aspects of doing so. This seems risky for Scale to implement such program. Regards, Anh Dao IBM Spectrum Scale Software Developer [email protected]
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss_gpfsug.org
