H. Peter Anvin wrote:

>My point is that it's what you get for having an automounter.
>
>We can't solve Sun's designed-in braindamage, unfortunately.  This is
>partially why I'd like people to consider the scope of what automounting
>does; there are tons of policy issues not all of which are going to be
>appropriate in all contexts.  To some degree, if you have to have an
>automounter you have already lost.
>  
>
However, we can solve Linux's designed-in braindamage.

>Also, your global machine credential is to some degree "all the security
>you get."  Any security which isn't enforced by the filesystem driver
>doesn't exist in a Unix environment;
>

What does this mean?   I don't understand.

> in particular there is no security
>against root.  Stupid tricks like remapping uid 0 are just that; stupid
>tricks without any real security value.  You know this, of course.
>However, if you think the automounter doesn't have the privilege to
>access the remote server but the user does, then that's false security.
>
>  
>
No, the security lies in the fact that the remote server knows the user 
is privileged to access it.  It's a side issue that the mount itself is 
made using an automounter.

>Linux at this point has no ability to support actual user-mounted
>filesystems.  There are things that could be done to remedy this, but it
>would require massive changes to every filesystem driver as well as to
>the VFS.  
>
??  As part of our research into namespaces, we at Sun have gone through 
and tried to identify the number of semantic changes required to achieve 
user-privileged mounting, however we never saw the need to do anything 
special at all in 'each filesystem driver'.  The issue is one of a 
permission model and should be out of scope for individual filesystems.

>Would it be desirable?  Absolutely.  However, it's partially
>the quagmire that got the HURD stuck for a very long time, even though
>they had the huge advantage of being able to run their filesystem
>drivers in a nonprivileged context.
>
>  
>
Other systems such as plan 9 have done it though..    If anything is 
keeping us from doing it, it's the traditional unix mount semantics and 
the security models that have been built on top of them.

-- 
Mike Waychison
Sun Microsystems, Inc.
1 (650) 352-5299 voice
1 (416) 202-8336 voice
mailto: Michael.Waychison@Sun.COM
http://www.sun.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NOTICE:  The opinions expressed in this email are held by me, 
and may not represent the views of Sun Microsystems, Inc.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~