1998-12-17 15:29:50

by Albert D. Cahalan

[permalink] [raw]
Subject: Re: autofs vs. Sun automount -- new fs proposal


Peter Benie writes:
> Stefan Monnier <monnier+misc/[email protected]> wrote:
>> [email protected] (Peter Benie) wrote:

>>> I don't actually see the point of implementing a read-only loopback
>>> mount. There are already protection mechanisms in the kernel to
>>> prevent one user from writing to another user's files. If you need to
>>> run a program so that it cannot write to any files, just run the
>>> program under a different uid.
>>
>> Following the same reasoning: why allow things like `chmod u-w' since
>> the user can change it back anyway !
>
> Huh? I can't see how that follows, and I don't understand the point
> that you're trying to make.
>
> What I'm saying is that there are standard ways under Unix to stop
> programs from writing to your files
...
> To use the kernel's existing protection mechanisms that protect
> non-zero uids from each other.


Those protection mechanisms are likely to fail.
The NSA even has a report on the failure of normal access control:

http://www.jya.com/paperF1.htm

The report explains why access control failure is inevitable, at least
with the normal controls provided by unix and NT. They advocate some
more advanced methods that help prevent mistakes.