Re: [PATCH] private mounts

[Bryan Henderson]

>This is why you have identity squashing and/or strong security: to stop
>the CLIENT administrator impersonating whoever he wants and working
>around your security measures.

That's more of a confirmation than a refutation of the statement that NFS 
root squashing is broken.  Root squashing itself simply does not squash a 
typical system administrator's ability to get at other people's files. 
"broken" isn't the right word, because as long as you recognize root 
squashing for what it is, it's working as designed.  It just isn't what it 
appears to be.

But, in the context of the current thread, I think the perception of NFS 
root squashing as something broken and not to be built upon with private 
mounts has to do with the fact that it messes up Linux's basic file 
permission scheme:  a process with CAP_DAC_OVERRIDE can get EACCES. 
EACCESS means discretionary access controls (DAC) prevent access.  So this 
behavior is unexpected and unnatural.  Worse, an operation can succeed 
_without_ CAP_DAC_OVERRIDE, but not _with_ it.  I've seen this behavior 
cause trouble a number of times -- mostly because it's entirely 
unanticipated.

--
Bryan Henderson                          IBM Almaden Research Center
San Jose CA                              Filesystems
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/