From: Russ Allbery <rra@stanford.edu>
Date: Mon, 29 Jan 2007 19:32:02 +0000 (+0000)
Subject: STABLE14-document-fs-setacl-permissions-20070129
X-Git-Tag: openafs-stable-1_4_3rc2~21
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=3319143ddbb44f1fee8ee5b19c3b18536457d5b9;p=packages%2Fo%2Fopenafs.git

STABLE14-document-fs-setacl-permissions-20070129


Better document the current state of implicit "a" rights on directories.


(cherry picked from commit 3960a5ff1cfef0c3f6adfe6cf602b8c80078ce7d)
---

diff --git a/doc/man-pages/pod1/fs_setacl.pod b/doc/man-pages/pod1/fs_setacl.pod
index a6e9cdbc9..ec437023e 100644
--- a/doc/man-pages/pod1/fs_setacl.pod
+++ b/doc/man-pages/pod1/fs_setacl.pod
@@ -263,8 +263,16 @@ and its F<public> subdirectory).
 =head1 PRIVILEGE REQUIRED
 
 The issuer must have the C<a> (administer) permission on the directory's
-ACL; the directory's owner and the members of the system:administrators
-group have the right implicitly, even if it does not appear on the ACL.
+ACL, a member of the system:administrators group, or, as a special case,
+must be the UID owner of the top-level directory of the volume containing
+this directory.  The last provision allows the UID owner of a volume to
+repair accidental ACL errors without requiring intervention by a member of
+system:administrators.
+
+Earlier versions of OpenAFS also extended implicit administer permission
+to the owner of any directory.  In current versions of OpenAFS, only the
+owner of the top-level directory of the volume has this special
+permission.
 
 =head1 SEE ALSO