2002 FREENIX Track Technical Program - Abstract
Enhancing NFS Cross-Administrative Domain Access
Joseph Spadavecchia and Erez Zadok, Stony Brook University
Abstract
The access model of exporting NFS volumes to clients suffers from two
problems. First, the server depends on the client to specify the user
credentials to use and has no flexible mechanism to map or restrict
the credentials given by the client. Second, when the server exports
a volume, there is no mechanism to ensure that users accessing the
server are only able to access their own files.
We address these problems by a combination of two solutions. First, range-mapping allows the NFS server to restrict and flexibly map the
credentials set by the client. Second, file-cloaking allows the
server to control the data a client is able to view or access, beyond normal
Unix semantics.
Our design is compatible with all versions of NFS. We have implemented this
work in Linux and made changes only to the NFS server code; client-side NFS
and the NFS protocol remain unchanged. Our evaluation shows a minimal
average performance overhead and, in some cases, an end-to-end performance
improvement.
- View the full text of this paper in
HTML,
PDF, and Postscript.
The Proceedings are published as a collective work, © 2002 by the USENIX Association. All Rights Reserved. Rights
to individual papers remain with the author or the author's employer.
Permission is granted for the noncommercial reproduction of the complete
work for educational or research purposes. USENIX acknowledges all
trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
- To become a USENIX Member, please see our Membership Information.
|