How are permissions for attribute operations calculated?

Site Administrators
1

I found this inconsistent behaviour on an empty directory I created:

Attributes before anything:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"

Forbid writing for myself:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 444 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2444'

Still able to set the attribute (is it because I’m the dir owner or because I’m in sys.acl?)

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr set user.forced.placementpolicy=gathered:CERN ivan_test/

Check that the attribute is actually set:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"
user.forced.placementpolicy="gathered:CERN"

Try removing the attribute and I can’t:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
error: unable to remove attribute 'user.forced.placementpolicy' in file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test
 (errc=1) (Operation not permitted)

But I can when I allow writing to the directory:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 744 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2744'
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
success: removed attribute 'user.forced.placementpolicy' from file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test

I’m user 12527:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> whoami
Virtual Identity: uid=12527 (12527,99) gid=1307 (1307,99) [authz:krb5] host=lxplus083.cern.ch

What is the expected behaviour here? Is attribute creation not affected by unix permissions, but attribute deletion is? Or is attribute creation covered by sys.acl, but attribute deletion is not?

2

I checked the code. setxattr for users requires owner if you are not a super user. Delete attribute requires posix (xw) and there is even a note to review that in the source code ;-).
I suggest to change it in a way, that the deletion requires also the owner and we introduce a new ACL letter for the setxattr permission.

3

Thanks! Where is it in the code, can I have a link please?
I’m trying to find what else can disallow me from setting an attribute.

4

Here you go:

https://gitlab.cern.ch/dss/eos/blob/dev/mgm/XrdMgmOfs/Attr.cc#L638