Here it goes out to the server that refuses the information. This goes
wrong after the local permission checks have been done, so that's why
you get "I/O error".
> Mandelbrot:/home/alex/mantel/Kernel # cat test
> cat: test: Permission denied
and here it uses the cached permissions on the client. These seem to
now reflect the "permission denied" that the server sent on the first
data-request.
> Now, after the owner has read the file on the same machine, it is readable
> by root afterwards:
>
> Mandelbrot:/home/alex/mantel/Kernel # cat test
> blabla
This is a "local" permission check, which allows root-access. Then the
server is not bothered, as the info is still in the cache. This is a
disatvantage of caching, and allowing "local" permission checks.
Is this really a security problem? Root can already do:
"su mantel -c cat test"
If a security fix requires a hacker to type 13 more characters,
it is not worth it.
The server has a "root-squash" option to protect the server against
an attack from "root at an nfs client". This root-squash option
prevents the root-on-the-client from generating setuid-root binaries
on a server-local filesystem, and from writing root-owned files.
Roger.
-- ** R.E.Wolff@BitWizard.nl ** +31-15-2137555 ** http://www.BitWizard.nl/ ** Florida -- A 39 year old construction worker woke up this morning when a 109-car freight train drove over him. According to the police the man was drunk. The man himself claims he slipped while walking the dog. 080897