Re: move audit/priviliage check into VFS

On Mon, 23 Apr 2007, Howard Su wrote:

On 4/23/07, Robert Watson <rwatson@xxxxxxxxxxx> wrote:

Pawel and I have talked about this a bit in the past -- vaccess(9) and vaccess_acl_posix1e(9) were really the first step in abstracting file system access control decisions, and aren't a bad step -- they certainly cover a lot of the previously plentifully replicated cases (countless foo_access() VOP implementations). However, I think we should be restrained and do a bit of experimentation -- sometimes as much work could be done bundling up the common arguments to deliver them to a central access check as is done in having the access check appear in the calling code itself. Can we refine VOP_ACCESS() a bit further to get what we need, or do we need new common functions?

In FS dependent code, we don't only call VOP_ACCESS, but also check some flags like ISUID, ISGID, NOUNLINK, APPEND, etc. This sort of stuffs are so easy to regerssion when I work on tmpfs and it should be almost same code in all the FS. However VFS don't have this sort of information in vnode structure. Is this can be added?

I don't think I would add these to the vnode -- remember that, for distributed file systems, these fields may change asynchronously, and that for at least one critical distributed file system (NFS) there is no asynchronous notification facility from the server. I like the vaccess() approach, in which the file system is responsible for determining the values of any relevant fields, and passing them into what is effectively a library routine that performs the check. This avoids having these access control checks perform VOP's, which has significant overhead, and allows the file system to optimize storage/retrieval of these volatile fields.

Robert N M Watson
Computer Laboratory
University of Cambridge
_______________________________________________
freebsd-arch@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "freebsd-arch-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: File filter driver or MUP network redirector?
    ... Any access control procedures must be applied in MJ_CREATE and ... Applying access control in, say, write path is a bad idea, since the file ... assuming file system mounted through remoted shares) or a file system filter ... driver using filter manager. ...
    (microsoft.public.development.device.drivers)
  • Re: [SLE] Missing space on my hard drive, 100% used and deleting files gives back no space.
    ... then reports on the file system that holds those files or directories. ... You can see what's mounted by using the "mount" command or by viewing ... And if the list you need to sort doesn't have ... read about sort's key field selection options. ...
    (SuSE)
  • Re: What does RISC OS mean to you?
    ... To me RISC OS provides a file system and user interface which does ... RAID file system hardware - probably SATA or similar. ... Once these relatively low-level problems are sorted out then perhaps ... Sort out these problems and the rest will follow - updates of good ...
    (comp.sys.acorn.misc)
  • Re: Limits on WSS 3.0 database size?
    ... Even only looking at document libraries. ... Not that I would do that in practice and it's not the sort of limit where 2000 is OK and 2001 isn't but that's the sort of possible figure we are talking about. ... It is however imo bad practice to move everything from an existing file system into a SharePoint system. ... Good practice is to select only the good stuff and let the rest stay in the file system and then use the SP doc libs only for new files. ...
    (microsoft.public.sharepoint.windowsservices)
  • Re: Storing/retrieving BLOBs with JSPs
    ... >> reassemble them at retrieval time. ... Is there anyway to implement a sort of Network ... > File System using Oracle using blobs. ... > the oracle server? ...
    (comp.lang.java.programmer)