Re: UID/GID mapping system

[Jesse Pollard <jesse@cats-chateau.net>]

On Thursday 11 March 2004 10:02, J. Bruce Fields wrote:
> On Thu, Mar 11, 2004 at 08:08:31AM -0600, Jesse Pollard wrote:
> > On Wednesday 10 March 2004 17:46, Andreas Dilger wrote:
> > > If the client is trusted to mount NFS, then it is also trusted enough
> > > not to use the wrong UID.  There is no "more" or "less" safe in this
> > > regard.
> >
> > It is only trusted to not misuse the uids that are mapped for that
> > client. If the client DOES misuse the uids, then only those mapped uids
> > will be affected. UIDS that are not mapped for that host will be
> > protected.
> >
> > It is to ISOLATE the penetration to the host that this is done. The
> > server will not and should not extend trust to any uid not authorized to
> > that host. This is what the UID/GID maps on the server provide.
>
> You're making an argument that uid mapping on the server could be used
> to provide additional security; I agree.
>
> I don't believe you can argue, however, that providing uid mapping on
> the client would *decrease* security, unless you believe that mapping
> uid's on the client precludes also mapping uid's on the server.

Not really - it would be a 1:1 map... so what would be the purpose?

The problem is in the audit - the server would report a violation in
uid xxx. Which according to it's records is not used on the penetrated client
(at least not via the filesystem). Yet the administrator would report that the
uid is valid (because of a bogus local map).

Double mapping also doubles the audit complications :-)