Coda File System

modebits

From: Peter J. Braam <braam_at_cs.cmu.edu>
Date: Mon, 9 Feb 1998 12:21:24 -0500 (EST)
Your project is to arrange that Coda respects mode bits in addition to
ACL's.  In this way, an individual file in a directory can be protected
against being overwritten.  Also I'd like you to investigate to what
extent chown and chmod currently work and what the desirable extensions
would be. For example, installing suid programs is important. Also we
would like a chown to work quite generally (but probably remove any suid
bit to avoid security leaks). Satya's paper has some background on this.

The complicating issue here is that you are NOT implementing Unix
semantics:  

 - Unix semantics would also deny a chmod operation on the file if its "w" 
bit was not set.  This we want to leave under control by the ACL and not
in the mode bit. 

 - Coda will ignore anything but:
 a) the "w" bit for owner of regular files
 b) the "x" bit of regular files
 c) the suid bit of regular files
 d) it could/should respect the sgid bit (it may do this automatically) on
directories

Task one for you is to understand the detailed functioning of these mode
bits, and to get Satya's paper on security from Bradley. 

A) in the kernel code for Coda (do it for version 2.1): you should
probably NOT modify coda_access since in that way you would block chmods.
Instead you should put a check for the "w" bit in the coda_write call.

You should NOT modify open since then fchmod would start to fail.

B) Venus does not see writes, but it should refuse to store a new copy of
a file if the "w" bit is not set. Probably it is best to intercept this
issue in coda-src/venus/vproc_vfscalls.cc vproc::close

You should NOT modify vproc::open since then fchmod would start to fail.

C) The server should refuse to server a "STORE" rpc unless the "w" bit is
set.  This is done in coda-src/vice/srvproc.cc in the routine 
CheckStoreSemantics.

Then analyse the "x" bit in a similar way (this is entirely kernel based I
think, since the server never sees "x" and Venus just sees the open. 

When this works we'll look a bit a suid programs and chown (read Satya's
paper, it talks about this). 

Could you let me know if you are using sparc or intel -- I forgot to take
that down.

- Peter -
Received on 1998-02-09 12:22:57