NetApp Community Update
This site will enter Read Only mode on July 23 as we prepare to move to a new platform. You will still be able to view content, but posting and replying will be temporarily disabled.
We're excited to launch our new Community experience on July 30 and more information will follow soon.
Stay connected during the transition - Join our Discord community today.

Network and Storage Protocols

Change owner of file with WRITE_OWNER acl permission in nfs4 connection

yb
4,045 Views

Hello, I am trying to change ownership of files using nfs4 WRITE_OWNER permission.

 

I have 'admin' user in FreeIPA. I want it has permission to change file ownership on my nfs share. The access to the share via nfs4.2 connection with krb5 authentication.

 

I put this nfs4 acl line to a file which is owned by another user.

 

A:fd:[email protected]:rwaDxtTnNcCoy

 

Because I gave it WRITE_OWNER (o) permission, expected it can change ownership of the file. But when I try 'chown' on it, I got permission error.

 

Is there anything I am missing? Thanks!

 

1 ACCEPTED SOLUTION

Ontapforrum
4,001 Views

Check out this option:

 

[-chown-mode {restricted|unrestricted|use-export-policy}]

 

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

 

View solution in original post

3 REPLIES 3

Ontapforrum
4,002 Views

Check out this option:

 

[-chown-mode {restricted|unrestricted|use-export-policy}]

 

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

 

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

 

yb
3,987 Views

Thanks @Ontapforrum !

 

I have seen the documents. I thought it open up the permission to everyone. (The document has already said that it isn't the case...)

 

I might be afraid to test it in production environment.

 

Vserver level unrestriction didn't work for me, but changing the export-policy works!

yb
3,859 Views

Today I found I cannot change ownership of files with the export-policy alone! I had also need to set the vserver unrestricted.

Public