[zfs-discuss] ? NFSv4 and ZFS: removing write_owner attribute does not stop a user changing file group ownership

[Tim Thomas]

Hi

I am accessing files in a  ZFS file system via NFSv4.
I am not logged in a root.

File permissions look as expected when I inspect them with ls -v and ls -V

I only have owner and group ACLs...nothing for everyone.

bash-3.00$ id
uid=100(timt) gid=10001(ccbcadmins)
bash-3.00$ groups
ccbcadmins staff
bash-3.00$ ls -v testacl
-rwxrwx---+  1 timt     ccbcadmins       0 Jan 31 16:24 testacl
     
0:owner@:read_data/write_data/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:allow
     
1:group@:read_data/write_data/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:allow

I can change the group ownership of a file to any group I am a member 
off, but not to groups I am not a member of - this is as expected.

My question is how do I make it so that I CANNOT change group ownership 
of files that I own

I have changed the ACLs on the file so that owner and group do not have 
write_owner permissions but I can still change the group ownership as 
before. I have tried removing write_owner from allow permissions and 
adding a deny ACL which denies write_owner permissions.

bash-3.00$ ls -v testacl
-rwxrwx---+  1 timt     ccbcadmins       0 Jan 31 16:23 testacl
     0:user:timt:write_owner:deny
     1:group@:write_owner:deny
     2:owner@:write_owner:deny
     
3:owner@:read_data/write_data/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/synchronize:allow
     
4:group@:read_data/write_data/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/synchronize:allow

but this makes no difference...I can still change the group ownership.

Clearly I am doing something wrong..or have incorrect expectations.

Anyone got any ideas on this ?

Thanks

Tim
--

*Tim Thomas
Open Storage Technical Specialist
Sun Microsystems UK *

Mobile: +44 (0)7802-212209
DDI: +44 (0)161 905-8097
Email: tim.tho...@sun.com



_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss