An Operating Systems Vade Mecum

Physical representation 225a dismount service call.Dismount(device). This call writes any remaining write-behind blocks to the deviceand removes the appropriate entry from the mount table. The contents of thefile mentioned in the Mount call are again available.Mounting disks introduces novel security problems. Until a disk is mounted, it isjust a device, which in Unix can be accessed as a single device file. While it is in thatstate, anyone who can access that special file can modify its data, introducing new accessrights and changing ownerships of the files it contains. In Unix, the problem is particularlysevere because a malicious user can set the rights on a load image for the commandinterpreter so that it is owned by the ‘‘superuser,’’ an extremely privileged subject. It isalso possible to set the permissions on that file so that when it runs, it acquires the rightsof its owner. Then the user can mount the disk, execute that command interpreter, and beas powerful as the superuser. For this reason, Unix usually allows only the superuser tocall Mount or modify unmounted disks.6.5 Multiple machinesIf several machines are connected by a network, files can often be accessed acrossmachines. A network-wide file name includes its machine name. For example, in DECnet,a file /a/b on machine George would be named George::/a/b. When a processaccesses a file with a remote name, messages must be sent to a server on the remotemachine to open the file there and to access it on behalf of the local process. Discoveringthat a file name is remote and negotiating with the remote machine can be one of thefunctions of the file manager (as in VMS), or it could reside outside the kernel in libraryroutines linked into programs that wish such access.Just as mounting disks is an elegant way to simplify organizing files on severaldisks, remote mounting simplifies organizing files on several machines. One goodexample is the Network File Server (NFS), developed by Sun Microsystems for Unix.Instead of a local device, the Mount service call can specify a remote directory, that is, adirectory in some cooperating machine’s file space. Of course, the remote machine hasthe option of refusing to service such a request, and this decision can be based on the particulardirectory that is being mounted and the identity of the requesting machine. Oncea remote directory has been mounted, users of the local machine see a virtual file hierarchythat includes all the files in that remote directory. Whenever the local file managerneeds a block from a remote machine, it sends a request across a communication line tothe remote machine.Figure 6.17 shows a typical arrangement of files across three cooperatingmachines. Each machine has a disk that is used for the initial file system (here, disks A,C, and E). These disks have very similar or even identical files. Each machine also has alarger disk that holds files unique to that machine (disks B, D, F). Each machine mountsdisk B onto file 2, disk D onto file 3, and disk F onto file 4. The result is that everyone onthese three machines sees an identical extended file hierarchy. In fact, if accounts are thesame on all three machines, users can log onto any machine that happens to be most