USENIX Association Proceedings of the FREENIX Track : 2003

The access model of exporting NFS volumes to clients suffers from two problems. First, the server depends on the client to specify the user credentials to use and has no flexible mechanism to map or restrict the credentials given by the client. Second, when the server exports a volume, there is no mechanism to ensure that users accessing the server are only able to access their own files. We address these problems by a combination of two solutions. First, range-mapping allows the NFS server to restrict and flexibly map the credentials set by the client. Second, file-cloaking allows the server to control the data a client is able to view or access, beyond normal Unix semantics. Our design is compatible with all versions of NFS. We have implemented this work in Linux and made changes only to the NFS server code; client-side NFS and the NFS protocol remain unchanged. Our evaluation shows a minimal average performance overhead and, in some cases, an end-to-end performance improvement.

[1]  Erez Zadok,et al.  HLFSD: Delivering Email to Your $HOME: Delivering Email to Your $HOME , 1993 .

[2]  Steve R. Kleiman,et al.  Vnodes: An Architecture for Multiple File System Types in Sun UNIX , 1986, USENIX Summer.

[3]  J. Howard Et El,et al.  Scale and performance in a distributed file system , 1988 .

[4]  Erez Zadok Linux NFS and Automounter Administration , 2001 .

[5]  Mahadev Satyanarayanan,et al.  Scale and performance in a distributed file system , 1988, TOCS.

[6]  Russel Sandberg,et al.  The Sun Network Filesystem: Design, Implementation and Experience , 2001 .

[7]  G. C. Wong,et al.  "Stacking/" Vnodes: A Progress Report , 1993, USENIX Summer.

[8]  Erez Zadok,et al.  HLFSD: Delivering Email to Your $HOME , 1993, LISA.

[9]  John K. Ousterhout,et al.  Why Aren't Operating Systems Getting Faster As Fast as Hardware? , 1990, USENIX Summer.

[10]  Dan Walsh,et al.  Design and implementation of the Sun network filesystem , 1985, USENIX Conference Proceedings.

[11]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[12]  David Robinson The Advancement of NFS Benchmarking: SFS 2.0 , 1999, LISA.

[13]  Erez Zadok,et al.  FIST: a language for stackable file systems , 2000, OPSR.

[14]  David S. H. Rosenthal,et al.  Evolving the Vnode interface , 1990, USENIX Summer.

[15]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[16]  Carl Smith,et al.  NFS Version 3: Design and Implementation , 1994, USENIX Summer.

[17]  Erez Zadok Linux NFS and Automounter Administration (Craig Hunt Linux Library Series) , 2001 .

[18]  John S. Heidemann,et al.  File-system development with stackable layers , 1994, TOCS.

[19]  Brent Callaghan,et al.  NFS Version 3 Protocol Specification , 1995, RFC.

[20]  William I. Nowicki,et al.  NFS: Network File System Protocol specification , 1989, RFC.

[21]  Erez Zadok,et al.  Extending File Systems Using Stackable Templates , 1999, USENIX Annual Technical Conference, General Track.

[22]  Erez Zadok A Stackable File System Interface For Linux , 1999 .

[23]  David Robinson,et al.  NFS version 4 Protocol , 2000, RFC.