From owner-freebsd-hackers Wed Oct 6 16:22:42 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from awfulhak.org (dynamic-54.max1-du-ws.dialnetwork.pavilion.co.uk [212.74.8.54]) by hub.freebsd.org (Postfix) with ESMTP id EBF8B1535D for ; Wed, 6 Oct 1999 16:22:35 -0700 (PDT) (envelope-from brian@Awfulhak.org) Received: from hak.lan.Awfulhak.org (root@hak.lan.Awfulhak.org [172.16.0.12]) by awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA00344; Thu, 7 Oct 1999 00:14:05 +0100 (BST) (envelope-from brian@lan.awfulhak.org) Received: from hak.lan.Awfulhak.org (brian@localhost.lan.Awfulhak.org [127.0.0.1]) by hak.lan.Awfulhak.org (8.9.3/8.9.3) with ESMTP id AAA03364; Thu, 7 Oct 1999 00:14:52 +0100 (BST) (envelope-from brian@hak.lan.Awfulhak.org) Message-Id: <199910062314.AAA03364@hak.lan.Awfulhak.org> X-Mailer: exmh version 2.0.2 2/24/98 To: Pat Dirks Cc: "FreeBSD Hackers" Subject: Re: Apple's planned appoach to permissions on movable filesystems In-reply-to: Your message of "Tue, 05 Oct 1999 14:19:22 PDT." <199910052119.OAA24627@scv1.apple.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 07 Oct 1999 00:14:52 +0100 From: Brian Somers Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG [.....] > Instead we decided to leave all name <-> ID mapping systems unchanged and > rely on a distinction between "local" filesystems whose permissions > information should be used and a "foreign" filesystem mode where owner > and group IDs are ignored. [.....] I think the owner and group of the person that mounted the filesystem should be assigned to all files on that filesystem in FOREIGN mode. -u and -g switches should be permitted to modify these, the -u being restricted to root and the -g restricted to root or one of the groups to which you are a member. This assumes the BSD style I-must-have-permission-to-read-and-write- the-raw-partitiion style filesystem mounting by users. It would have horrendous implications with the linux-style fstab-says-anyone-can- mount-this idea. But then, you already mention this later on :-] The filesystem code would also mask all suid bits and ignore all char/device files on FOREIGN media (as you've already said too). [.....] > media) so we settled on identifying filesystems instead. I don't think it's a good idea to be able to identify the filesystem as being your own. It's too easy to introduce security problems that way. I'd suggest a default of FOREIGN and a root-only mount option for LOCAL - ie, root decides, nothing's automated. [.....] > As long as the filesystem is "foreign" no owner or group changes > (chown(2), chgrp(2)) are allowed (the id spaces are very possibly > mutually meaningless; local name -> id mappings could make no sense to > the original owner's system). chmod(2) should still work, though. And what uid/gid do new files get.... I can't say I like the idea of a magic ``nobody'' uid/gid. [.....] -- Brian Don't _EVER_ lose your sense of humour ! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message