Darren J Moffat wrote: > Nicolas Williams wrote: >> On Mon, Oct 12, 2009 at 05:47:12PM +0200, Casper.Dik at Sun.COM wrote: >>>> If you use NTFS ACLs that include deny entries this differs. >> >> That's true, but there's just not much we can do about AUTH_SYS, and as >> Casper says, "AUTH_SYS is a security risk in itself". >> >>>> As we are talking about older NFS versions that do not support NTFS >>>> ACLs, it seems to be not a security risk to truncate the list. >> >> NFSv4 ACLs are very much like NTFS ACLs, particularly in that they can >> have DENY ACEs. >> >>> The only other issue is that truncating may cause unexplained >>> permission issues. However, not truncating the gid list requires the >>> administrator to give all users at most 16 groups or they won't be >>> able to use NFS. >> >> Specifically it may cause non-deterministic behavior. Sorting the group >> list will cause deterministic behavior, but that is probably worse. >> Ideally we could just wave our hands and make AUTH_SYS go away. But we >> can't. What we can do though is this: the NFS server could look up the >> group memberships of the UID asserted by an AUTH_SYS client. > > That would actually help in a few edge case configs even when the group > list is less than 16. Having AUTH_SYS just ignore the supplementary > groups all together and collect them itself would be useful - but likely > a performance impact since now we need a nameservice lookup. > To avoid a performance hit only only ignore the groups and recompute them from the UID when the number of groups is maxed out. ie 16 groups
Regards Julian
