Coda File System

Re: extended attributes

From: Jan Harkes <jaharkes_at_cs.cmu.edu>
Date: Mon, 26 Mar 2007 11:31:02 -0400
On Sun, Mar 25, 2007 at 09:08:00PM -0400, Chris PeBenito wrote:
> Does coda support extended attributes?  In particular I'd like to use
> coda with SELinux systems, which uses the extended attributes (security
> namespace) to store its labels.  I did some googling, but I only found a
> thread from 1997 asking pretty much the same question, so my guess would
> be no.

Extended attributes are not supported, and most likely will never be
supported in Coda.

There is no place in the existing meta-data structure for such
information, it would only be useful for systems running SELinux.
There is no equivalent on any of the other operating systems, and it is
unclear what a non SELinux system should do if it encounters an extended
attribute. I'm not even sure if it is appropriate, since such security
labels define a local policy.

For instance Coda intentionally does not support setuid or setgid bits,
the 'setuid' capability is a local policy and better implemented through
a local mechanism. For instance, our webserver does have a need for some
setuid cgi programs, and this functionality is implemented by having a
non-setuid binary (foo.setuid) in /coda as well as a symlink to the
'super' application (foo -> /usr/bin/super). The super configuration
file (/etc/supertab) then defines the local policies for running these
applications. i.e. only allow setuid execution if the binary is in a
known location and started by some specific local user/application,
which user identity to use, and what environment variables are passed.

Jan
Received on 2007-03-26 11:33:00