CERN Accelerating science

How are permissions for attribute operations calculated?


(Ivan Kadochnikov) #1

I found this inconsistent behaviour on an empty directory I created:

Attributes before anything:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"

Forbid writing for myself:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 444 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2444'

Still able to set the attribute (is it because I’m the dir owner or because I’m in sys.acl?)

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr set user.forced.placementpolicy=gathered:CERN ivan_test/

Check that the attribute is actually set:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr ls ivan_test/
sys.acl="egroup:eulake-devops:rwx,u:8619:rwx,u:10761:rwx,u:57357:rwx,u:32117:rwx,u:33378:rwx,u:12527:rwx"
sys.forced.checksum="adler"
user.forced.placementpolicy="gathered:CERN"

Try removing the attribute and I can’t:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
error: unable to remove attribute 'user.forced.placementpolicy' in file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test
 (errc=1) (Operation not permitted)

But I can when I allow writing to the directory:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> chmod 744 ivan_test/
success: mode of file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test is now '2744'
EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> attr rm user.forced.placementpolicy ivan_test/
success: removed attribute 'user.forced.placementpolicy' from file/directory /eulake/lcg/test/hammercloud/atlas/ivan_test

I’m user 12527:

EOS Console [root://eulake.cern.ch] |/eulake/lcg/test/hammercloud/atlas/> whoami
Virtual Identity: uid=12527 (12527,99) gid=1307 (1307,99) [authz:krb5] host=lxplus083.cern.ch

What is the expected behaviour here? Is attribute creation not affected by unix permissions, but attribute deletion is? Or is attribute creation covered by sys.acl, but attribute deletion is not?


(Andreas Joachim Peters) #2

I checked the code. setxattr for users requires owner if you are not a super user. Delete attribute requires posix (xw) and there is even a note to review that in the source code ;-).
I suggest to change it in a way, that the deletion requires also the owner and we introduce a new ACL letter for the setxattr permission.


(Ivan Kadochnikov) #3

Thanks! Where is it in the code, can I have a link please?
I’m trying to find what else can disallow me from setting an attribute.


(Andreas Joachim Peters) #4

Here you go: