--On Monday, October 27, 2008 06:20:44 PM -0400 Michael Meffie
<[EMAIL PROTECTED]> wrote:
[EMAIL PROTECTED] wrote:
<<On Mon, 20 Oct 2008 09:51:15 -0400, Michael Meffie
<[EMAIL PROTECTED]> said:
I have been looking at Derrick's patch from last spring
to implement POSIX style chown, with the hope it can be
included in OpenAFS 1.5. Since there are security implications
to this change, I am posting it here for further review
and comment.
The idea is to allow regular users to disown files when the
C acl bit is set.
What does POSIX have to do with this? POSIX does not require that
users have the ability to give away files. (In fact, a "strictly
conforming" POSIX implementation shall not allow this.)
I think the name posix chown came from the fact that posix requires
the suid and sgid bits be cleared when the user disowns a file. Which
is an important security consideration.
POSIX has this requirement, when users are allowed to disown files. But
then, System V UNIX has always had that behavior. And as noted, POSIX does
not require System V chown behavior; it permits and even encourages BSD
behavior, in which users cannot give away files (in BSD UNIX, allowing
users to give away files would allow them to subvert the quota system).
Does the patch include changes to allow pathconf(_PC_CHOWN_RESTRICTED,
"/afs/...") to return the correct value?
No, and in fact, I'm not sure we can. Doing this at all would require
giving AFS clients a means of discovering this, which they presently do not
have. Since there is no standardized ACL bit for this, clients cannot
discover the correct answer by examining the ACL, because ACL extension
bits must be interpreted in the context of the server containing the ACL.
But it gets worse... in AFS, whether a chown is permitted depends on the
client's authenticated identity. With this patch, chown is permitted to
AFS administrators and for users who have the 'C' bit (or whichever is
used); without it, it is permitted only to AFS administrators. It's not
clear to me that pathconf(_PC_CHOWN_RESTRICTED) is expected to return a
value which depends on the caller; rather, I believe it is intended to
return a static value depending only on the path, with the implication that
even when present, the restriction does not apply to administrators.
-- Jeff
_______________________________________________
OpenAFS-devel mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-devel
