Network and Storage Protocols

Change owner of file with WRITE_OWNER acl permission in nfs4 connection

yb
1,905 Views

Hello, I am trying to change ownership of files using nfs4 WRITE_OWNER permission.

 

I have 'admin' user in FreeIPA. I want it has permission to change file ownership on my nfs share. The access to the share via nfs4.2 connection with krb5 authentication.

 

I put this nfs4 acl line to a file which is owned by another user.

 

A:fd:admin@domain.com:rwaDxtTnNcCoy

 

Because I gave it WRITE_OWNER (o) permission, expected it can change ownership of the file. But when I try 'chown' on it, I got permission error.

 

Is there anything I am missing? Thanks!

 

1 ACCEPTED SOLUTION

Ontapforrum
1,861 Views

Check out this option:

 

[-chown-mode {restricted|unrestricted|use-export-policy}]

 

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

 

View solution in original post

3 REPLIES 3

Ontapforrum
1,862 Views

Check out this option:

 

[-chown-mode {restricted|unrestricted|use-export-policy}]

 

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

 

yb
1,847 Views

Thanks @Ontapforrum !

 

I have seen the documents. I thought it open up the permission to everyone. (The document has already said that it isn't the case...)

 

I might be afraid to test it in production environment.

 

Vserver level unrestriction didn't work for me, but changing the export-policy works!

yb
1,719 Views

Today I found I cannot change ownership of files with the export-policy alone! I had also need to set the vserver unrestricted.

Public