Coda File System

Re: group permission

From: Peter J. Braam <braam_at_cs.cmu.edu>
Date: Thu, 29 Apr 1999 11:34:41 -0400
Hi,

So you want a sticky bit on the directory.  Not a bad idea - this is
also quite desirable for email spool directories etc.  This is one of
the main problems of the AFS/Coda security model.  Where it tries to
diverge from Unix it runs into trouble in system directories like
"mail", "/tmp" etc. where sticky bits are used.  But it is pretty easy
to change Coda a little bit and perfectly acceptable, to accomodate
this.  

Clearly what you want requires making a distinction between the owner
and others. For this to make sense, "owner" must represent a "coda" uid
and not a Unix uid.  The kernel however creates files with the Unix
"uid" so that will need fixing up in the "create and mkdir" upcalls.  
They will return the attributes of the created file and the kernel
should set the owner to the Coda uid. [Although one could also argue
that there are two owners and the kernel sees a Unix uid while Venus
only sees a Coda uid -- that's getting pretty confusing though.].

Next, we must prevent chown - probably chown should require "a" rights
on the parent.   So "chown" will be allowed when administrative rights
are present on the directory - that makes ownership a protected
property.   

Our ACLs won't do what you want - so we'll have to rely on the mode
bit.  So "chmod" similarly should not always be honoured, only with "a"
rights on the parent.  This is currently not done, and requires a few
extra lines in vproc_vfscalls (setattr ~l 430), to find the parents and
check the rights.

So the picture would be roughly as follows: when you want to delete a
file or remove a directory, we require rights on two objects: the parent
and the child (you are changing the link count of the child).  

On the parent, the "d" ACL field should be set, this is already checked
in vproc_vfscalls.cc line 771.   We could regard changing the link count
as having a "w" bit on the child. So we add a line (772 or so) requiring
that. That would fit well.    So if the caller has "w" rights we let it
go through, and the caller doesn't we don't.   [This also can disallow
writing by others (but you might have to look at the "open" calls to
make sure it is enforced), and sensibly, if writing is allowed by
others, the file can be removed too.] 

Things like this werer already done in AFS but the code for it in Coda
is commented out (around line 350 in coda-src/venus/fso_cfscalls.cc).  
Reading Satya's AFS security paper, the protection was put in place to
prevent accidental deletions - by "anyone", now we are refining this to
use the owner.

Also it looks like the old AFS mechanism was not quite done in the way
we want it now, since the "vuid" is not taken into account when looking
at the mode bit.  The usual macros munging on the bits in mode while
comparing the "vuid" (the identity of the caller) and the "owner" must
be taken into account. 

So I think this is an excellent little hacking project, to adapt
fsobj::Access to do exactly what you want.  I think it's not too much
work to do this.  If you do it send us the patch, then we'll put it in. 

- Peter -




Simone Celli_Marchi wrote:
> 
> On Wed, 28 Apr 1999 jaharkes_at_cs.cmu.edu wrote:
> 
> > | I have a volume named public mounted in /coda/public and a group
> > | called public. I want that all user belong group public can write in /
> > | coda/public but can't delete file of other users. Is it possible
> > | without set a acl for any user ?
> >
> > Well, you can set an ACL for a group of users, or in your case
> > System:Anyuser, the group of all users.
> >
> > So something like `cfs sa /coda/public System:AnyUser rwil' should do
> > the trick.
> 
> But in this way a user can't delete own files !
Received on 1999-04-29 11:36:32