Coda File System

Re: Writing while disconnected

From: Ivan Popov <pin_at_medic.chalmers.se>
Date: Tue, 10 Aug 2004 19:48:27 +0200
Hello James,

On Tue, Aug 10, 2004 at 06:02:44PM +0100, James Le Cuirot wrote:
> While I can write with my normal user account, I cannot write as root. When I

Let us make it clear, for Coda "root" is nothing special, just
an uid, like any other. That uid's rights are determined in the same way,
by acls and by tokens that uid possesses (in your case probably none).

> try, the command simply hangs until I press Ctrl+C. I use Entrance to log in and

Would you include a small typesctipt? Otherwise it is hard to know for sure
what situation it is and which command fails in which way.

> as far as I can tell, it's writes the Xauthority file as root because when I try

If the login program tries to write things into Coda without having tokens
it is just plainly wrong. It should not succeed - unless the user's directory
is wide open to the whole world.
(the program _may_ have tokens as it gets the user's password,
but yours probably doesn't...)

> but I can imagine the inability to write as root causing problems in other ways.

Sure, all programs which depend on special root rights on non-local
filesystems, will fail. Period.
It is not Coda-related, it is usual practice even on NFS.

Programs, which switch uid to the user's one and try to write
as the user, without acquiring the tokens, will fail too!
It is their fault, as local uid posession can _not_ give global rights
without proving the identity to the file server.
Fortunately, pam can help to some degree, acquiring the tokens.

You should also instruct login programs to create Xauthority somewhere
on a _local_ file system as that file is inherently Xserver==host bound.
You have no need (and you do not want) to share Xauthority information,
as you do not want to run X without tunneling anyway.

(it is a well-known security hole, .Xauthority on NFS...
as Coda does not encrypt the traffic, the hole would be as big on Coda, too)

Best regards,
--
Ivan
Received on 2004-08-10 13:50:14