From: "Brian J. Murrell" <brian-SquOHqY54CVWr29BmMi2cA@public.gmane.org>
To: linux-nfs@vger.kernel.org
Subject: Re: gssapi and nfs4
Date: Wed, 05 Nov 2008 14:51:56 -0500 [thread overview]
Message-ID: <1225914716.3785.54.camel@pc.interlinx.bc.ca> (raw)
In-Reply-To: <89c397150811051140p2f6e1cb1x1960570d19ac5d6d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 1261 bytes --]
On Wed, 2008-11-05 at 14:40 -0500, William A. (Andy) Adamson wrote:
>
> A better way to limit access is to use ACL's on the directory,
Yes, indeed. I have been holding off as long as I can on using ACLs
given the lack of integration into the GUI (i.e. gnome) environment thus
far. For example, so far as I know, nautilus does not have any ACL
inspection/modification in it yet. Maybe that's not such a big deal.
Just another layer I guess.
> which
> actually make a difference when running kerberos. :)
Yeah.
FWIU, ACLs would solve the other of the 2 problems that I went to nfs4
with gssapi for anyway and that's being able to more easily allow others
access to files. Unix groups work fine for this as long as you can
control the umask/permission bits a particular application sets on the
files it creates.
While I can create inheritance rules for ownerships in the SYS security
model I can't create (inheritable) umask/permissions rules and have to
rely on either the users' global umask or the application giving, say,
group write permissions to a file. Setting the users' global umask for
that is of course unacceptable and that only leaves attacking the
problem on an application-by-application basis. Yuck.
b.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]
next prev parent reply other threads:[~2008-11-05 19:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-04 15:43 gssapi and nfs4 Brian J. Murrell
2008-11-04 18:00 ` William A. (Andy) Adamson
[not found] ` <89c397150811041000l93b9831w1e8dce2175c6d51f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-04 18:53 ` Brian J. Murrell
2008-11-04 22:48 ` J. Bruce Fields
2008-11-05 5:25 ` Brian J. Murrell
[not found] ` <1225862729.13506.8.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:02 ` J. Bruce Fields
2008-11-05 19:18 ` Brian J. Murrell
[not found] ` <1225912734.3785.40.camel-lA68w17JHpfIgqYUaR6mlLDks+cytr/Z@public.gmane.org>
2008-11-05 19:40 ` William A. (Andy) Adamson
[not found] ` <89c397150811051140p2f6e1cb1x1960570d19ac5d6d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-11-05 19:51 ` Brian J. Murrell [this message]
2008-11-06 21:50 ` J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1225914716.3785.54.camel@pc.interlinx.bc.ca \
--to=brian-squohqy54cvwr29bmmi2ca@public.gmane.org \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox