(Illustration by Gaich Muramatsu)
On Sat, Feb 23, 2002 at 03:52:11PM -0500, Jan Harkes wrote: > We don't cache acl's on a directory. Just thinking out loud here, we're > caching access permissions on the fso's, actually access is defined by > the directory acl, so we're almost too flexible right now. Ok, next time I should clearly look at the code first, > > It might be possible to treat directories and files differently in > venus, so we wouldn't cache access for individual files anymore, but > only in the directories. This would have several advantages, We already only check access though the directories, although every FSO still has an 'access permissions cache', so we could still save on RVM memory if these access caches are allocated separately, similarily we always have a 'container-file' structure with every FSO, even for symlinks and directories which don't really need one most of the time. The problem here is mostly due to how we allocate objects in RVM. The all fso structures are pre-allocated and it is easier when they are a fixed size, perhaps when we have a better RVM allocator this can be fixed more cleanly. > > In summary, I think I'm arguing for an indefinite-life binding between > > uuid and cuid for files already in the venus cache - one that survives > > restarting venus. This is security-wise analogous to copying files > > from /coda into a regular UFS filesystem, where one doesn't need > > authentication to read ones own files (or rather, that's what login is > > about, and having a uid is the equivalent of a token). > > That might be as simple as removing the IsValidToken tests in various > places. I've been reading the code and playing around and it looks like all the things we discussed (except for reducing RVM usage for file fso's) are already working fine, even writing. So I can restart a client completely disconnected and have full access to any 'ACL-protected' directories that are in the cache, which I accessed before shutting down venus even without having obtained a token. The only needed thing was that the Coda servers need to be listed with ip-address in /etc/hosts and everything you might want to access should be cached. Hoard does the trick for me, but don't forget to hoard the volumes leading up to the volume we want to access. Now I'm scratching my head and wondering what isn't working correctly when we're disconnected without tokens. Only the fact that 'cunlog' merely invalidates and doesn't purge any cached access rights? JanReceived on 2002-02-28 17:23:50