A group of us at Apple are trying to figure out how to handle  
situations where a filesystem with "foreign" user ID's are present.   
The basic problem is that the user experience using Unix semantics  
are not really pleasant.  I think some examples would help:

  I'm working with Joe on a project, and I have some sources I want  
him to take a look at, so I mount a floppy disk.  Well, that's a bad  
example, because floppies are "out"... So I mount a zip disk with UFS  
on it, and I copy my source tree onto it, and hand this to Joe.  Joe  
takes the disk home, and sticks it in his computer, and he finds  
that he can't read the files, because I have a lamer umask, and as a  
bonus, I don't have an account on his machine, so the files are owned  
by some random UID.

  I think the desired behaviour would be that since this is  
effectively now Joe's zip disk, he should be able to do as he  
pleases.  One proposal might be to give the console user the  
equivalent of root's priveledges on any removeable media he inserts  
into the machine while he's logged in on the console.  This solves  
the immediate problem of permissions for Joe, since the file owners  
are, on his machine and in this situation, largely irrelevant.   
Presumably the console user is the one fiddling with the external  
media.

  As another example, a similar situation often comes up on the net  
with tar files containing UIDs and GIDs other than zero.

  One problem with my proposal (setting security and perhaps other  
implications aside for the moment), is that knowing what media is  
removeable is becoming increasingly difficult.  Hot-swappable drives  
(eg. FireWire) are effectively removeable, and may be transported  
between machines fairly regularly.  Furthermore, your "internal"  
drives, which are presently presumed to be local, may be on the same  
bus and indistinguishable from the "external" drives.

  So perhaps there needs to be a way to mark a drive as local  
(perhaps with a host ID of some sort?) and noticing when a volume is  
"foreign" that you need to do something special.  Certainly you might  
want to ignore setuid bits, for starters.  This could simply be  
something like fstab, which lists the local drives, and everything  
else isn't considered local.

  But then the question is, how do we want to deal with non-local  
filesystems?  The ideal thing would be to have a way to transport  
user information with the filesystem (eg. uids on disk are mapped to  
system uids via a per-filesystem database with more global IDs like  
email addresses), but that could be expensive.

  Am I spewing babel? :-)

  Has anyone dived into this area already and have some experience  
with it?  It's confusing me pretty good.

	Thanks,
	-Fred


--
       Wilfredo Sanchez, wsanchez@apple.com
Apple Computer, Inc., Core Operating Systems / BSD
          Technical Lead, Darwin Project
   1 Infinite Loop, 302-4K, Cupertino, CA 95014