On Tue, Nov 12, 2002 at 12:12:22AM +0100, Andreas Gruenbacher wrote:
> > The other thing to consider here is that I really don't want to
> > start us down the path where individual user attributes are owned
> > by some user or group other than the owner or group owner of the
> > base file. When you start talking about "credentials being passed
> > around", as opposed to simply a single bit which says, "this is
> > official kernel business", you're scaring me.
>
> I wasn't thinking of different permissions for different attributes,
> but of a way do decouple the running process from the credentials
> seen in the file system. The only cases at the moment are kernel
> context vs. process context, but other cases might come up in the
> future (NFS?).
As long as stick to a very simple file ownership access control model
for xattr's, then NFS can simply do the uid check itself. We don't
need to pass full set of credentials; a simple integer comparison in
the NFS code before it calls the set_xattr() call will do.
(And maybe a special case test for uid == 0, although why anyone who
cares about security wwould be insane enough to run NFS without NFS
root squash enabled is completely beyond me....)
- Ted
|