CITI acl patch is dangerous.
J. Bruce Fields
bfields at fieldses.org
Thu Oct 25 18:05:38 EDT 2007
On Fri, Oct 26, 2007 at 12:01:48AM +0200, Sébastien Bernard wrote:
> J. Bruce Fields a écrit :
>> On Thu, Oct 25, 2007 at 11:46:27PM +0200, Sébastien Bernard wrote:
>>> J. Bruce Fields a écrit :
>>>> On Thu, Oct 25, 2007 at 11:30:42PM +0200, Sébastien Bernard wrote:
>>>>> I wanted to add a /home/public directory accessible to all users of the
>>>>> group.
>>>>> So I checked the rights of the directory, it's nobody:users (775).
>>>>> But no user was able to create a directory. Changing the rights to 777
>>>>> allowed everyone to create things in this dir with
>>>>> correct users and rights.
>>>> Does the "users" group exist on the server side, and have all of the
>>>> correct users as members?
>>>> --b.
>>> Yes, of course. However, the users group exists only in the ldap tree.
>> When a kerberos user authenticates we just pass the kernel the list of
>> groups returned by getgrouplist() for that user. That's probably the
>> same list that, e.g., the "id" command returns. So a group that doesn't
>> appear in that list will probably be ignored.
> The id returns the correct group. Everything seems to be ok.
Hm. We also assume that the kerberos principal name is of the form
username at MYREALM
where "username" is the name of the user on the server.
So, if that's true, and if "id" on the server shows the appropriate
group, and a "ls -ld" of the directory on the server shows the
permissions (and user and group) that you expect: then I'm stumped.
Sounds like a bug.
--b.
More information about the NFSv4
mailing list