Hi Mimi- I'm working on a section of draft-ietf-nfsv4-integrity-measurement that discusses what kind of access permission is necessary to update a file's IMA metadata. This is needed because every NFS operation has an associated user ID -- an NFS server implementer needs to know which users are allowed to alter the IMA metadata. On Linux, because the metadata is stored in "security.ima", CAP_SYS_ADMIN is required. But on other NFS server implementations (ones that might not have a capabilities system), IMA metadata could be stored via a mechanism that does not require any special permission. And, it seems to me that if a user can alter the file content, there is no additional harm in her being allowed to update the IMA metadata. Is there an architectural reason, other than that Linux stores IMA metadata in a security.* xattr, for requiring a superuser privilege to update IMA metadata? Thanks in advance for any insight! -- Chuck Lever
