On 10/25/2014 8:30 PM, Nathaniel W Filardo wrote: > On Sat, Oct 25, 2014 at 07:07:10PM -0400, Jeffrey Altman wrote: >> On 10/25/2014 3:35 PM, Nathaniel W Filardo wrote: >>> Hello all, >>> >>> At present, GIDs seem a little funny -- it takes system:administrator >>> membership to change them, but files can be created with arbitrary GID >>> simply by operating a client with a UNIX credential whose primary GID is >>> whatever is desired. >> >> The actual requirements for setting the ownership and/or group of a >> vnode are >> >> 1a. Insert permission on the directory >> 1b. Ownership of the file >> >> or >> >> 2. Member of system:administrator group >> >> or >> >> 3a. Owner can be changed if the volume owner is the object owner >> 3b. Group can be changed if the volume group is the object group
This should teach me to read code in a hurry. The above is completely wrong. > Is this written down somewhere authoritative that I don't know about or have > forgotten? (i.e. is there a specification document for the "operation X > rights X UNIX permissions on special files" table) IN the early 90s Transarc developed the protocol specification documents that are located in doc/pdf/ in the source repository. The fscm-ispec pdf provides the documentation the community was given for the RXAFS RPCs. The AFSFetchStatus and AFSStoreStatus structures document the "Group" fields as "not implemented". The GetStatus() function in src/viced/afsfileprocs.c also comments that the Group field is not implemented. And yet, the Group field has been set as far back as AFS 3.0. If "partially implemented" is what was meant by "not implemented", then that would explain why only the system:administrators can set the values. Unix mode group is not a property that will be set appropriately by non-UNIX clients and might not be set properly by UNIX clients. I do not believe that the group value should be taken into account when the file server is making decisions. I believe the behavior should be as close as possible to that described by POSIX http://www.unix.com/man-page/POSIX/1posix/chgrp/ "Only the owner of a file or the user with appropriate privileges may change the owner or group of a file." For AFS I would interpret that as the group can be changed if any of the following are true: 1. the owner id of the file is the AFS ID of the issuer 2. the issuer has "admin" privileges, the group 3. the issuer is a member of system:administrators However, this is protocol specification question and it should be discussed on afs3-standardization before any implementation is accepted. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
