The environment that this senerio would be most likly to be used in would
not be using a Linux box for the NFS server, instead it would be using
something like a Network appliance (or their higher end competitor,
Auspecs or domwthing like that). These boxes run their own OS, have their
own filesystem and are heavily tuned (raid for disks, large amounts of
static ram to buffer writes to, etc). They are also not cheap, the one I
am using at my web farm here runs ~$60,000. not having the ability to use
any capabilities for files residing on this system would be a drawback.
Why? Put your all of your data files on the central NFS server.
Put all of your executables (which for a web farm should be a *very*
small number of files) on local disk. Simple, and secure.
For bonus points, if what you need is something so simple, stupid that
even a manager can maintain it, write a script which copies the
executables from the NFS server, verifies their MD5 checksums, and
finally verifies the PGP signature on the MD5 checksum file. Then have
that script set any necessary capabilities on the freshly copied
executables on your machine. There! Now it's even easy to administer.
And still secure.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/