Host based authentication
J. Bruce Fields
bfields at fieldses.org
Fri Apr 20 11:50:03 EDT 2007
On Fri, Apr 20, 2007 at 11:05:38AM -0400, Steve Gaarder wrote:
>
> On Thu, 19 Apr 2007, Brent Callaghan wrote:
> >
> > Yes, stronger host-based security would be useful and might avoid some
> > of the overhead in administering Kerberos.
> >
> > But the most common complaint about NFS security relates to home
> > directories,
> > and host-based security does nothing to prevent one student messing
> > with another student's (or staff member's) home directory via the "su"
> > command.
>
> A very useful adjunct to better auth-sys security would be a way to squash
> all users on a given machine to nobody except for one (or a few) selected
> users. I'd like to have it even with current auth-sys.
People have asked for that before. I think it's just a question of
having someone sufficiently motivated to write the patches and then work
with everybody to iron out any problems.
If everyone was happy with a squashing scheme that required very little
data to describe (like, squash everyone with a uid higher than N), then
it might be possible to just add an export option. If people want to
squash all but some arbitrarily set of id's, or remap id's in some more
complicated way, then we need to add a new mechanism by which the kernel
can query a daemon for the mapping, etc. (probably using another server
cache thing--see net/sunrpc/cache.c).
The squashing is done in fs/nfsd/auth.c:nfsd_setuser(), which is where
any new mechanism would need to hook in.
--b.
More information about the NFSv4
mailing list