Solved: Change owner of file with WRITE_OWNER acl permission in nfs4 connection

yb · ‎2023-03-07

Hello, I am trying to change ownership of files using nfs4 WRITE_OWNER permission.

I have 'admin' user in FreeIPA. I want it has permission to change file ownership on my nfs share. The access to the share via nfs4.2 connection with krb5 authentication.

I put this nfs4 acl line to a file which is owned by another user.

A:fd:admin@domain.com:rwaDxtTnNcCoy

Because I gave it WRITE_OWNER (o) permission, expected it can change ownership of the file. But when I try 'chown' on it, I got permission error.

Is there anything I am missing? Thanks!

Ontapforrum · ‎2023-03-08

Check out this option:

[-chown-mode {restricted|unrestricted|use-export-policy}]

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

View solution in original post

Ontapforrum · ‎2023-03-08

Check out this option:

[-chown-mode {restricted|unrestricted|use-export-policy}]

Vserver Change Ownership Mode (privilege: advanced)
This optional parameter specifies whether file ownership can be changed only by the superuser, or if a non-root user can also change file ownership. If you set this parameter to restricted, file ownership can be changed only by the superuser, even though the on-disk permissions allow a non-root user to change file ownership. If you set this parameter to unrestricted, file ownership can be changed by the superuser and by the non-root user, depending upon the access granted by on-disk permissions. If you set this parameter to use-export-policy, file ownership can be changed in accordance with the relevant export rules.

https://kb.netapp.com/Advice_and_Troubleshooting/Data_Storage_Software/ONTAP_OS/How_to_configure_non-root_users_to_change_ownership_of_files_using_NFS...

yb · ‎2023-03-08

Thanks @Ontapforrum !

I have seen the documents. I thought it open up the permission to everyone. (The document has already said that it isn't the case...)

I might be afraid to test it in production environment.

Vserver level unrestriction didn't work for me, but changing the export-policy works!

yb · ‎2023-03-17

Today I found I cannot change ownership of files with the export-policy alone! I had also need to set the vserver unrestricted.