running arlad as a user besides root

[Christopher Allen Wing]

Love:

> I think you are too afraid of running things as root :)
> 
> If you trusts your afs token and your files to arla, I think you have lost
> anyway.

What I'm more interested in being able to do is use xfs filesystems
without requiring root privileges. In the case of AFS, it would be nice if
corruption of the AFS client did not compromise the local root on the
machine.

(imagine a machine acting as a web server, serving files out of AFS with
no tokens)

> And since arlad can open whatever file and write to it there is no
> extra security by letting it run as another use then root.

Right, what I should do is modify xfs to only allow fhopen on files owned
by the arla user. (the user that opened the xfs device)

To be complete I'll also have to modify xfs to disallow INSTALLDATA from
cache files not owned by the arla user, and disabled all setuid/setgid
attributes in xfs.

> I think you have started a good thing, security screening of arla. We have
> done some work doing it, but there need to be done more. There is for
> example lots of trust of what the fileserver gives to the client, if there
> is invalid information arlad might do a abort().

Well, overall Arla has been pretty stable for me over the last year--one
nice advantage it has over Transarc's is that you can at least restart it
without rebooting the machine if it does crash.

> I personally don't think that is nessecery to run arlad an user != root.
> Haven't talked yet to the other arla people, but I would think that they
> think the same.
> 
> If you come with a good argument of not running arlad as root, I'm happy to
> include it. But I think that it gives false security.

Well, the simple patch I mentioned is flawed as you point out. 

I think it would be nice to be able to use the xfs module without being
root, though- I'll look into this and write back later.


Thanks,

Chris Wing
wingc at engin.umich.edu