Re: [autofs] [RFC] Towards a Modern Autofs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "H. Peter Anvin" <hpa@zytor.com>
To: trond.myklebust@fys.uio.no
Cc: viro@parcelfarce.linux.theplanet.co.uk,
	linux-kernel@vger.kernel.org, raven@themaw.net,
	Michael.Waychison@sun.com, thockin@sun.com
Subject: Re: [autofs] [RFC] Towards a Modern Autofs
Date: Thu, 08 Jan 2004 13:13:24 -0800	[thread overview]
Message-ID: <3FFDC7F4.4070800@zytor.com> (raw)
In-Reply-To: <33178.141.211.133.197.1073592524.squirrel@webmail.uio.no>

trond.myklebust@fys.uio.no wrote:
> 
> My point is that the above problem crops up in almost *all* combinations
> of automounter daemon with remote filesystem and strong authentication.
> In order to correctly mount the remote filesystem, the automounter
> itself needs a minimum set of remote privileges (typically it needs to be
> able to browse the remote filesystem).
> 
> RFC-2623 describes how to add RPCSEC_GSS to NFSv2/v3. The
> workarounds (hacks really) that I refer to above had to be deliberately
> added in order to make Sun's automounter work in this environment.
> The alternative would have been to have a global "machine" credential
> for use by the automounter when browsing /net. Hardly secure...
> 

My point is that it's what you get for having an automounter.

We can't solve Sun's designed-in braindamage, unfortunately.  This is
partially why I'd like people to consider the scope of what automounting
does; there are tons of policy issues not all of which are going to be
appropriate in all contexts.  To some degree, if you have to have an
automounter you have already lost.

Also, your global machine credential is to some degree "all the security
you get."  Any security which isn't enforced by the filesystem driver
doesn't exist in a Unix environment; in particular there is no security
against root.  Stupid tricks like remapping uid 0 are just that; stupid
tricks without any real security value.  You know this, of course.
However, if you think the automounter doesn't have the privilege to
access the remote server but the user does, then that's false security.

Linux at this point has no ability to support actual user-mounted
filesystems.  There are things that could be done to remedy this, but it
would require massive changes to every filesystem driver as well as to
the VFS.  Would it be desirable?  Absolutely.  However, it's partially
the quagmire that got the HURD stuck for a very long time, even though
they had the huge advantage of being able to run their filesystem
drivers in a nonprivileged context.

	-hpa

next prev parent reply	other threads:[~2004-01-08 21:14 UTC|newest]

Thread overview: 83+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-01-08 19:32 [autofs] [RFC] Towards a Modern Autofs trond.myklebust
2004-01-08 19:41 ` H. Peter Anvin
2004-01-08 20:08   ` trond.myklebust
2004-01-08 21:13     ` H. Peter Anvin [this message]
2004-01-08 22:20       ` J. Bruce Fields
2004-01-08 22:24         ` H. Peter Anvin
2004-01-09 20:37       ` Mike Waychison
2004-01-09 21:02         ` H. Peter Anvin
2004-01-09 21:52           ` Mike Waychison
2004-01-09 20:16   ` Mike Waychison
     [not found] <1b5GC-29h-1@gated-at.bofh.it>
     [not found] ` <1b6CO-3v0-15@gated-at.bofh.it>
2004-01-07  4:21   ` Andi Kleen
2004-01-07 17:50     ` H. Peter Anvin
2004-01-07 21:04       ` Mike Waychison
2004-01-07 21:11         ` Mike Fedyk
2004-01-07 23:40           ` Jesper Juhl
2004-01-07 21:24         ` Jeff Garzik
2004-01-07 23:47           ` Mike Waychison
2004-01-07 23:56             ` Jeff Garzik
2004-01-12 16:57               ` Mike Waychison
2004-01-13  7:39                 ` Ian Kent
  -- strict thread matches above, loose matches on Subject: below --
2004-01-06 23:34 Ogden, Aaron A.
2004-01-06 23:47 ` Tim Hockin
2004-01-06 22:28 Ogden, Aaron A.
2004-01-06 22:41 ` Mike Fedyk
2004-01-06 22:47 ` Tim Hockin
2004-01-06 22:53 ` Paul Raines
2004-01-07 23:14 ` Jim Carter
2004-01-07 23:32   ` H. Peter Anvin
2004-01-08 12:52     ` Ian Kent
2004-01-08 12:52       ` Ian Kent
2004-01-08 18:31       ` viro
2004-01-09 18:43         ` Ian Kent
2004-01-09 19:41         ` Mike Waychison
2004-01-09 19:57           ` H. Peter Anvin
2004-01-09 21:31             ` Mike Waychison
2004-01-09 21:36               ` H. Peter Anvin
2004-01-06 19:55 Mike Waychison
2004-01-06 21:01 ` [autofs] " H. Peter Anvin
2004-01-06 21:44   ` Mike Waychison
2004-01-06 21:50   ` Tim Hockin
2004-01-06 22:06     ` H. Peter Anvin
2004-01-06 22:17       ` Tim Hockin
     [not found]       ` <20040106221502.GA7398@hockin.org>
2004-01-06 22:20         ` H. Peter Anvin
2004-01-07 16:19           ` Mike Waychison
2004-01-07 17:55             ` H. Peter Anvin
2004-01-07 21:13               ` Mike Waychison
2004-01-07 21:14 ` Jim Carter
2004-01-07 22:55   ` Mike Waychison
2004-01-08 12:00     ` Ian Kent
2004-01-08 15:39       ` Mike Waychison
2004-01-09 18:20         ` Ian Kent
2004-01-09 20:06           ` Mike Waychison
2004-01-10  5:43             ` Ian Kent
2004-01-12 13:07               ` Mike Waychison
2004-01-12 16:01                 ` raven
2004-01-12 16:26                   ` Mike Waychison
2004-01-12 22:50                     ` Tim Hockin
2004-01-12 23:28                       ` Mike Waychison
2004-01-13  1:30                       ` Ian Kent
2004-01-12 16:28                   ` raven
2004-01-12 16:58                     ` Mike Waychison
2004-01-13  1:54                       ` Ian Kent
2004-01-13 19:01                         ` Mike Waychison
2004-01-14 15:58                           ` raven
2004-01-13 18:46                   ` Mike Waychison
2004-01-09 20:51           ` Jim Carter
2004-01-10  5:56             ` Ian Kent
2004-01-08 17:34       ` H. Peter Anvin
2004-01-08 19:41         ` Mike Waychison
2004-01-08 23:42         ` Michael Clark
2004-01-09 20:28           ` Mike Waychison
2004-01-09 20:54             ` H. Peter Anvin
2004-01-09 21:43               ` Mike Waychison
2004-01-09 18:32         ` Ian Kent
2004-01-09 20:52           ` Mike Waychison
2004-01-10  6:05             ` Ian Kent
2004-01-08 12:29     ` Olivier Galibert
2004-01-08 13:20       ` Robin Rosenberg
2004-01-08 16:23       ` Mike Waychison
2004-01-08 12:35     ` Ian Kent
2004-01-08 13:08       ` Ian Kent
2004-01-08 18:20     ` Jim Carter
2004-01-08 21:01       ` H. Peter Anvin
2004-01-08  0:48   ` Ian Kent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3FFDC7F4.4070800@zytor.com \
    --to=hpa@zytor.com \
    --cc=Michael.Waychison@sun.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=raven@themaw.net \
    --cc=thockin@sun.com \
    --cc=trond.myklebust@fys.uio.no \
    --cc=viro@parcelfarce.linux.theplanet.co.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.