Re: [PVFS2-users] Limit a particular pvfs2 client's access to data

Thu, 08 Dec 2005 00:26:15 -0800 

Hi Murali,
This is definitely a positive step for access control. I am out on vacation in a couple of days and so it will be a few weeks before I try this out. But thanks for the work ! That's a lot of code. 


               For now, I have hacked the particular client's kernel 
module to disallow root access.  This is a specific case where
the root is trusted, but we want to prevent accidental file deletions. 

              Server centric control ( like nfs or this patch) is the 
obvious way to go, as we move on to untrusted clients.


Thanks,
Praveen


Murali Vilayannur wrote:


Hi Praveen,
Would something like the attached patch work for you?
I have minimally tested it on my setups and it seems to work.
You need to add something (optional) like the following to your fs.conf file 
under
the <FileSystem> context tags

<ExportOptions>
               ReadOnly yes --> if you want readonly f.s
                RootSquash yes --> if you want root squash. Unfortunately
this will root squash all clients :(. No selective squashing. Currently
root will squash to a default uid for nobody,gid for nobody.
                AllSquash  yes --> all users will get squashed to nobody..
                AnonUID  <uid> --> override the anonuid value to something..
                AnonGID  <gid> --> override the anongid value to something..
</ExportOptions>

Exporting a sub-tree to specific clients is not addressed by this patch.
It requires far more work..
Thanks,
Murali


On Tue, 6 Dec 2005, Praveen KJ wrote:


 


Hi,

I have a particular pvfs2 client, where the root user is to have least
possible privelege.
The least I need is  that the root be unable to delete other user files.
Is there a way to construct a pvfs2 setup so that nfs equivalent of
root_squash is supported ?

Another alternative could be to export only a sub-tree ( or
sub-directory) of the pvfs2 root tree to this particular client.
The root user on the client will thus be limited in scope. It can
perform actions only on that sub-directory.


Thanks,
Praveen
_______________________________________________
PVFS2-users mailing list
[email protected]
http://www.beowulf-underground.org/mailman/listinfo/pvfs2-users


   



_______________________________________________
PVFS2-users mailing list
[email protected]
http://www.beowulf-underground.org/mailman/listinfo/pvfs2-users






















					Reply via email to