Non-UNIX permission models (resent)

[Michael B Allen]

On Thu, 29 Sep 2005 16:25:47 +0200
Andreas Gruenbacher <agruen at suse.de> wrote:

> Very briefly put, I believe that we need a few small change at the VFS 
> (virtual filesystem) layer, and with those, the CIFS and other permission 
> models can be implemented at the low-level filesystem layer relatively 
> easily. I'm thinking of allowing the user to choose a permission model per 
> mount.

To be honest I'm not clear about what you're trying to do but it seems
to me this would only help with maybe the SACL whereas I don't see a
terrible problem with just storing the DACL using xattrs.

Actually permissions are only half the problem if you can only check
them against a uid and some gids. Meaning, Linux could greatly benfit
from a more sophisticated *security context*. We need something to store
credentials. This would aleaviate a lot of the desktop annoyances like
keychains, ssh-agent, and sudo but it would also assist with server
implementations.

Specifically, there could be partially opaque credential and principal
types. Then a list of credentials can be associated with the process
constituting the Kernel Security Context for a process. Userspace
programs can then employ the kernel to perform access checks, retrieve
shared secrets, etc. Modules could implement the different credential
types. The userspace / kernelspace transfer might be as simple as doing
GSSAPI over an AF_LOCAL socket (like SCM_CREDENTIALS).

Just a thought,
Mike

Note: I'm not a samba developer so I speak only for myself.