Msexchange adaccess when updating security for a remote procedure call

A traditional inter-server file copy entails the user gaining access to a file on the source, reading it, and writing it to a file on the destination.

In secure NFSv4 inter-server server-side copy (see Section 4 of [RFC7862]), the user first secures access to both source and destination files and then uses NFSv4.2-defined RPCSEC_GSSv3 structured privileges to authorize the destination to copy the file from the source on behalf of the user.

The GSS-API and its mechanisms certainly could be extended to address this shortcoming.However, it is addressed here at the application layer, i.e., in RPCSEC_GSS.A major motivation for version 3 of RPCSEC_GSS (RPCSEC_GSSv3) is to add support for multi-level (labeled) security and server-side copy for NFSv4.The initial data acquisition is authenticated by the first user's credentials, and if only that user's credentials are used, it may be possible for a malicious user or users to "poison" the cache for other users by introducing bogus data into the cache.Another use of the multi-principal assertion is the secure conveyance of privilege information for processes running with more (or even with less) privilege than the user normally would be accorded.

Leave a Reply