[RFC] Security Enhanced NFS (SENFS) Requirements - draft 05
Casey Schaufler
casey at schaufler-ca.com
Sat Jun 23 00:07:02 EDT 2007
--- James Morris <jmorris at namei.org> wrote:
> On Fri, 22 Jun 2007, Casey Schaufler wrote:
>
> > Somewhere between 2000 and 2002 (it's all a blur to me now) SGI
> > made the OB1 project available on oss.sgi.com.
>
> I remember that :-)
>
> > Included in this
> > project was the source code for an extended attribute protocol
> > to sit beside NFSv3. I have attached the code as a worked example
> > of how one can go about implementing linux style* extended attributes
> > in a distributed environment. This scheme does not address all of
> > your requirements, it only addresses transport and storage, it does
> > not address authentication or validation.
>
> Interesting -- I gather you ran this over labeled networking?
You can, and we did, but we also ran it over unlabeled networks.
It is a protocol that handles extended attributes, which Irix
(vanilla Unix) used for ACLs and capabilities. The protocol is
agnostic to the use to which the attributes are put and to their
content, like any good file system. It doesn't do crypo. It does
not do attribute validation or translation, but neither do other
file systems.
I have ideas on those issues, but gotta run. I'll see about
coming back to it.
Casey Schaufler
casey at schaufler-ca.com
More information about the NFSv4
mailing list