A group of us at Apple are trying to figure out how to handle
situations where a filesystem with "foreign" user ID's are present.
The basic problem is that the user experience using Unix semantics
are not really pleasant. I think some examples would help:
I'm working with Joe on a project, and I have some sources I want
him to take a look at, so I mount a floppy disk. Well, that's a bad
example, because floppies are "out"... So I mount a zip disk with UFS
on it, and I copy my source tree onto it, and hand this to Joe. Joe
takes the disk home, and sticks it in his computer, and he finds
that he can't read the files, because I have a lamer umask, and as a
bonus, I don't have an account on his machine, so the files are owned
by some random UID.
I think the desired behaviour would be that since this is
effectively now Joe's zip disk, he should be able to do as he
pleases. One proposal might be to give the console user the
equivalent of root's priveledges on any removeable media he inserts
into the machine while he's logged in on the console. This solves
the immediate problem of permissions for Joe, since the file owners
are, on his machine and in this situation, largely irrelevant.
Presumably the console user is the one fiddling with the external
media.
As another example, a similar situation often comes up on the net
with tar files containing UIDs and GIDs other than zero.
One problem with my proposal (setting security and perhaps other
implications aside for the moment), is that knowing what media is
removeable is becoming increasingly difficult. Hot-swappable drives
(eg. FireWire) are effectively removeable, and may be transported
between machines fairly regularly. Furthermore, your "internal"
drives, which are presently presumed to be local, may be on the same
bus and indistinguishable from the "external" drives.
So perhaps there needs to be a way to mark a drive as local
(perhaps with a host ID of some sort?) and noticing when a volume is
"foreign" that you need to do something special. Certainly you might
want to ignore setuid bits, for starters. This could simply be
something like fstab, which lists the local drives, and everything
else isn't considered local.
But then the question is, how do we want to deal with non-local
filesystems? The ideal thing would be to have a way to transport
user information with the filesystem (eg. uids on disk are mapped to
system uids via a per-filesystem database with more global IDs like
email addresses), but that could be expensive.
Am I spewing babel? :-)
Has anyone dived into this area already and have some experience
with it? It's confusing me pretty good.
Thanks,
-Fred
--
Wilfredo Sanchez, wsanc...@apple.com
Apple Computer, Inc., Core Operating Systems / BSD
Technical Lead, Darwin Project
1 Infinite Loop, 302-4K, Cupertino, CA 95014
To Unsubscribe: send mail to majord...@freebsd.org
with "unsubscribe freebsd-hackers" in the body of the message
