Making group inheritance immutable with extended ACL?

0

We have a quota management system on our beegfs storage system which tracks group usage of a folder.

In this test, the quota is managed for group "fordemx-home", test folder is setup as follows:

$ mkdir acl_test
$ sudo chown -R fordemx:fordemx-home acl_test
$ sudo chmod 0770 acl_test/
$ sudo chmod g+s acl_test
$ sudo chmod u+s acl_test
$ sudo setfacl -Rdm u:fordemx:rwx acl_test
$ sudo setfacl -Rdm g:fordemx-home:rwx acl_test
$ sudo setfacl -Rdm o::- acl_test
$ getfacl acl_test/
# file: acl_test/
# owner: fordemx
# group: fordemx-home
# flags: ss-
user::rwx
group::rwx
other::---
default:user::rwx
default:user:fordemx:rwx
default:group::rwx
default:group:fordemx-home:rwx
default:mask::rwx
default:other::---

So both user and group are sticky, and the default user and group for the parent and child are assigned. On file/folder creation, user, group, and default ACLs are inherited properly, and affect quota utilization appropriately. In the follow example we create two dummy files, remove 1, and check quota utilization between each step:

$ cd acl_test
$ dd if=/dev/urandom of=sample1.txt bs=64M count=16
$ dd if=/dev/urandom of=sample2.txt bs=64M count=16
$ ll
total 1048577
drwsrws---+  2 fordemx fordemx-home         2 Apr 16 13:09 ./
drwxr-s---  17 fordemx fordemx-home        27 Apr 16 12:53 ../
-rw-rw----+  1 fordemx fordemx-home 536870896 Apr 16 13:09 sample1.txt
-rw-rw----+  1 fordemx fordemx-home 536870896 Apr 16 13:10 sample2.txt
$ beegfs-ctl --getquota --gid fordemx-home

Quota information for storage pool Default (ID: 1):

      user/group     ||           size          ||    chunk files    
     name     |  id  ||    used    |    hard    ||  used   |  hard   
--------------|------||------------|------------||---------|---------
  fordemx-home|  2036||    1.89 GiB| 1024.00 GiB||    16251|unlimited

$ rm -rf sample1.txt
$ beegfs-ctl --getquota --gid fordemx-home

 Quota information for storage pool Default (ID: 1):

      user/group     ||           size          ||    chunk files    
     name     |  id  ||    used    |    hard    ||  used   |  hard   
--------------|------||------------|------------||---------|---------
  fordemx-home|  2036||    1.39 GiB| 1024.00 GiB||    16247|unlimited

So everything works as expected up to this point. However, since the user owns these files, they should be able to change the group on the file, which stops the file from being tracked within the group quota

$ chown fordemx:fordemx sample2.txt 
$ beegfs-ctl --getquota --gid fordemx-home

Quota information for storage pool Default (ID: 1):

      user/group     ||           size          ||    chunk files    
     name     |  id  ||    used    |    hard    ||  used   |  hard   
--------------|------||------------|------------||---------|---------
  fordemx-home|  2036||  911.07 MiB| 1024.00 GiB||    16243|unlimited

This isn't desirable, as a user could simply side step our quota restrictions essentially. Whats odd, is that the ACL for sample2.txt still shows the ACL defined group as "fordemx-home"

$ getfacl sample2.txt 
# file: sample2.txt
# owner: fordemx
# group: fordemx
user::rw-
user:fordemx:rwx            
group::rwx          
group:fordemx-home:rwx # <----- shouldn't quota still be managed under fordemx-home
mask::rw-
other::---

Is there a way that I can restrict the user from changing the linux group permissions on files within this directory and it's children? Any other help or suggestions are welcomed?

Martin James

Posted 2019-04-16T18:18:51.237

Reputation: 35

Answers

0

A little hackish, and will likely break stuff. But you know, no pain no gain. Decided to change permissions on chgrp and chown to root only. Seems the only way to stop users from passing on the buck.

Martin James

Posted 2019-04-16T18:18:51.237

Reputation: 35

Asked: 2019-04-16T18:18:51.237

Viewed: 27 times

Active: 2019-04-17T15:43:56.247