[Labeled-nfs] Labeled RPC & NFS
James Morris
jmorris at namei.org
Mon Jan 14 17:48:10 EST 2008
On Mon, 14 Jan 2008, Dave Quigley wrote:
> Steve brought up a problem with placing this at the NFS protocol level
> and it is this. What stops a random process from opening up a raw socket
> and hand encoding NFS rpc messages to the server? With no auth the
> answer is nothing however, with kerberos the questions are where does
> krb5d store the credentials, who can get access to them, and under what
> conditions. There is a krb5cc-$uid file created under tmp which is used
> for the credentials cache and any process that is running as that UID
> can access it.
I don't see how this is affected by placement of the MAC label.
- James
--
James Morris
<jmorris at namei.org>
More information about the Labeled-nfs
mailing list