Coda File System

Re: ACLs and disconnected operation

From: Jan Harkes <>
Date: Thu, 28 Feb 2002 17:23:35 -0500
On Sat, Feb 23, 2002 at 03:52:11PM -0500, Jan Harkes wrote:
> We don't cache acl's on a directory. Just thinking out loud here, we're
> caching access permissions on the fso's, actually access is defined by
> the directory acl, so we're almost too flexible right now.

Ok, next time I should clearly look at the code first,
> It might be possible to treat directories and files differently in
> venus, so we wouldn't cache access for individual files anymore, but
> only in the directories. This would have several advantages,

We already only check access though the directories, although every FSO
still has an 'access permissions cache', so we could still save on RVM
memory if these access caches are allocated separately, similarily we
always have a 'container-file' structure with every FSO, even for
symlinks and directories which don't really need one most of the time.

The problem here is mostly due to how we allocate objects in RVM. The
all fso structures are pre-allocated and it is easier when they are a
fixed size, perhaps when we have a better RVM allocator this can be
fixed more cleanly.

> > In summary, I think I'm arguing for an indefinite-life binding between
> > uuid and cuid for files already in the venus cache - one that survives
> > restarting venus.  This is security-wise analogous to copying files
> > from /coda into a regular UFS filesystem, where one doesn't need
> > authentication to read ones own files (or rather, that's what login is
> > about, and having a uid is the equivalent of a token).
> That might be as simple as removing the IsValidToken tests in various
> places.

I've been reading the code and playing around and it looks like all the
things we discussed (except for reducing RVM usage for file fso's) are
already working fine, even writing.

So I can restart a client completely disconnected and have full access
to any 'ACL-protected' directories that are in the cache, which I
accessed before shutting down venus even without having obtained a
token. The only needed thing was that the Coda servers need to be listed
with ip-address in /etc/hosts and everything you might want to access
should be cached. Hoard does the trick for me, but don't forget to hoard
the volumes leading up to the volume we want to access.

Now I'm scratching my head and wondering what isn't working correctly
when we're disconnected without tokens.

Only the fact that 'cunlog' merely invalidates and doesn't purge any
cached access rights?

Received on 2002-02-28 17:23:50