Re: [PROPOSAL] Extended attributes for Posix security extensions

[Daniel Phillips]

"Stephen C. Tweedie" wrote:
> On Fri, Oct 27, 2000 at 10:46:26AM +0200, Andreas Gruenbacher wrote:
> > Imagine if the kernel did store
> > "[EMAIL PROTECTED]" on ACLs on the filesystem. When an access control
> > decision needs to be done, the kernel simply has no idea about what
> > "[EMAIL PROTECTED]" means.
> 
> The VFS doesn't, but the filesystem does.  In NFSv4, what happens at
> the moment is that the kernel says "I don't know who the local user
> is" and asks a local GSS daemon to do a kerberos authentication on the
> user.  Once that is complete, both the client and the server have an
> authenticated and secure ID for the user of the form "username@REALM".

Since we have 32 bits worth of UID and GID now, why can't we create a
temporary UID at this point?  Each unique ACL would be assigned a unique
GID and the temporary UID would belong to some appropriate set of
groups.  This is such an obvious idea that I assume it must have been
discussed and rejected, but why?

--
Daniel
-
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to [EMAIL PROTECTED]