Re: Directories traversal (was Re: the deadly hypercube of death, or: handling permissions)

[Marcus Brinkmann]

At Fri, 28 Apr 2006 14:01:33 +0200,
Bas Wijnen <address@hidden> wrote:
> I think it's a very bad idea to give the system administrator read access to
> all your files, just because he wants to make backups.  There already is a
> form which can be used for recovering, because we have a persistent system.
> Making a backup should simply consist of copying the snapshot.  The question
> is who should have the right to do this, but it makes sense that there is at
> least a capability for it.
> 
> To get rid of the block device/files problem, only allocated parts of space
> banks should be backed up, and not the entire allocatable space.  Optimising
> more than that will lead to security and privacy issues, I think, and it's not
> important enough that we should risk that.

However, we will want a way to serialize state of many programs, and
transfer it to an updated set of servers, or maybe even to a new
machine (of course not possible if the state contains random
capabilities).

This mechanism could also be used to create backup of selected
configurations.  I think that this is important enough for partial
recovery that it must be considered.  Because you can not restore a
backup of the whole machine just because one user lost an important
file.

Of course, there are other solutions like versioned file systems.
This requires much more thought.

Thanks,
Marcus