Coda File System

Re: the protection model

From: Adam Megacz <megacz_at_cs.berkeley.edu>
Date: Sat, 24 Mar 2007 23:07:29 -0700
u+codalist-p4pg_at_chalmers.se writes:
> all processes with the same uid can potentially influence each other
> by modifying files in the home directory - as the home directory is normally
> used to find [references to] resources, via dotfiles and alikes.

... unless there is no home directory.  At least, no home directory
which can be accessed using only the "UNIX UID" as a credential.  IMHO
this is the sensible approach for AFS/Coda and similar systems.

I'd worry more about various IPC and shared-memory facilities -- for
example you can attach a debugger to any other process with the same
UID.

A possible solution is to synthesize a new UNIX UID for each login
shell (could probably be done in a PAM session module) and reclaim
them when the user logs out.  If the only publicly writable space on
local disk is /tmp, this should be easy to clean up after.

  - a
Received on 2007-03-25 03:10:48