Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!news.mel.connect.com.au!news.mira.net.au!inquo!bofh.dot!in-news.erinet.com!imci5!imci4!newsfeed.internetmci.com!in1.uu.net!news.artisoft.com!usenet
From: Terry Lambert <terry@lambert.org>
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: FreeBSD vs. Linux
Date: Sat, 01 Jun 1996 17:43:41 -0700
Organization: Me
Lines: 74
Message-ID: <31B0E3BD.60B31603@lambert.org>
References: <318FA7CB.8D8@hkstar.com> <31A2A83D.67A89A35@lambert.org> <4o21cu$qrn@news.zipnet.net> <4o584s$n9l@uriah.heep.sax.de> <4ogkn2$20b@Mercury.mcs.com>
NNTP-Posting-Host: hecate.artisoft.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 2.01 (X11; I; Linux 1.1.76 i486)
Leslie Mikesell wrote:
] >> =This one I don't understand -- unless you are using the machine
] >> =as a single user box, or don't care that every Linux user is
] >> =using a single set of credentials to access the SMB servers,
] >> =and therefore you have no user-level access controls.
] >>
] >> Terry, please. Of course it is a "single user box", that's what
] >> everyone has in the office this days.
]
] >So the boxes are ``on average less than single-user'', but not with
] >respect to the user credentials. (This doesn't even account for
] >pseudo-users, Web or FTP server users, modem login users etc.)
]
] Yes, but that makes the more interesting issue whether or not it
] may be useful to allow these users and pseudo-users access to
] certain remote files even though the remote filesystem doesn't
] maintain a concept of multiple users. (That is, might you want
] to use a network to actually share access?).
SMB servers and NetWare servers *do* have a concept of user;
they just don't have the concept seperate from connection.
This is an implementation issue for an SMBFS, and is trivial to
address.
The issue is that this requires the kernel to proxy the user
credentials to create a connection per user accessing the FS
at a given time.
The problem here is that the UNIX user interaction model doesn't
allow the kernel to say "what are your credentials?" to a UNIX
user in the middle of running a program.
This is because UNIX credentials are associated with sessions,
and a session ID is synonymous with a process group leader,
and the credentials are associated with the proc struct instead
of being use in common for all processes with a given user ID.
NFS uses this credential model by having the client user on
a given host have to run on a "trusted" host to allow the
kernel to proxy the user credentials to the server by inserting
them into the packets that go acress the wire.
Because SMB and NetWare servers don't have the concept of
"trusted host", a proxy approach won't work. The conversion
of credentials must take place on the client system.
This is easier to think of if you think of each login session
on a UNIX box as an authentication instance (or "client").
This is a harder problem to solve. People seem to be willing
to sacrifice security rather than addressing this issue; in
particular, the Linux SMBFS does exactly that: sacrifices
user-level security for a marginal improvement in convenience.
I've already noted multiple designs which don't require you
to give up user level security like Linux SMBFS. Pick one
and implement it, or come up with your own, and no one will
complain about including an SMBFS.
I am reminded of the security implications of the NTFS redirector
for DOS systems on the O'Reilly GNN site: without NT there to
enforce policy, policy is subverted.
Terry Lambert
terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.