On Fri, Oct 25, 2002 at 08:24:31AM +1300, Nathan Ward wrote:
> The thing is, ACLs that are honoured client-side are no good.  Network
> of kernel developers, so they need root.  This is why Coda interested
> me, in my test network the ACLs appear to be looked after server-side.
> And of equal interest it doesn't seem to let you +s files ;].

Correct Coda enforces security at the server, the client just helps out a
bit to avoid too many unnecessary operations, and the kernel in many
cases is enforcing it's own security decisions that in some cases are
conflicting with Coda's access permissions, so that is a bit annoying.

You can always mount filesystems 'nosuid' to make sure you don't get hit
by other clients messing with the suid bits. For Coda we just made the
decision that suid is evil in a distributed system and we actively block
setting the setuid bits, but also actively filter them from whatever we
get back from the server. So even if someone puts up a compromized
server that allows setuid, it won't affect non-compromized clients.

Reliable setuid is easily done with 'super' running off the local disk.
The advantage is that it gives the local user complete control over
which programs can safely be allowed to run setuid, and exactly when and
where local users are allowed to run them.

Jan