[OpenAFS-devel] device nodes...
Jeffrey Hutzelman
jhutz@cmu.edu
Thu, 22 Feb 2001 03:06:50 -0500 (EST)
On 20 Feb 2001, Derek Atkins wrote:
> The major problem with device-nodes is that devices are extremely
> system-dependent. That doesn't mean that I'm against them; I've found
> a number of times when having a device node in AFS would be extremely
> useful (e.g. building a RedHat installer disk). But I can easily see
> the original argument and can usually find workarounds for the cases
> where I find I want to use device nodes in AFS.
Yeah. The problem here is that if you (an admin) create an innocuous
device on one system, it may turn out to be dangerous on some other
platform. Also, having device support in the cache manager at all
introduces the possibility for some nasty attacks where a user spoofs
responses to his own requests in order to trick the cache manager into
letting him access a device.
In order to come close to being safe, I would propose something like the
following, if device nodes are to be supported at all...
Device nodes are represented in AFS as magic symlinks, in the same way
as mount points. No special tool or fileserver support is required to
create and manipulate them, though some cells may wish to restrict who
can create such links (as we do for mount points), and workstations may
want to restrict which cells' devices can be used.
The target of a magic link is a _symbolic_ platform-independent name for
the device to be referenced. This name is looked up by the cache manager
in a locally-maintained table to find the actual device type (block or
char), device ID, and permissions. The magic table is loaded at startup
by afsd, and may be manipulated later using fs commands by a superuser.
With this design, a user may create or spoof a "device reference", but
it can only refer to a device which has been explicitly configured by
the workstation's administrator, and even then the permissions set by
the admin will be enforced.
-- Jeff