> This is a "local" permission check, which allows root-access. Then the
> server is not bothered, as the info is still in the cache. This is a
> disatvantage of caching, and allowing "local" permission checks.
>
> Is this really a security problem? Root can already do:
> "su mantel -c cat test"
> If a security fix requires a hacker to type 13 more characters,
> it is not worth it.
IMHO the real problem is not with security but with data integrity!
once the user/owner read a long file via NFS it's in the cache
but at some later time, not all pages of the file will still be cached,
so the access of another user e.g. root trying to make a backup copy
of your directory and expecting access/read errors for files it can't access
instead of creating clobbered and truncated copies of that parts of a file
which are still in the cache (I'm sure there are better and more valid
examples for this data integrity problem -- this is just to illustrate my thoughts).
Harald
--
All SCSI disks will from now on ___ _____
be required to send an email notice 0--,| /OOOOOOO\
24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\
\ \/OOOOOOOOOOOOOOO\
\ OOOOOOOOOOOOOOOOO|//
Harald Koenig, \/\/\/\/\/\/\/\/\/
Inst.f.Theoret.Astrophysik // / \\ \
koenig@tat.physik.uni-tuebingen.de ^^^^^ ^^^^^