Re: knfsd and system crashes
kwrohrer@enteract.com
Sat, 15 Nov 1997 01:14:08 -0600 (CST)
And lo, Steven S. Dick saith unto me:
> I think a direct iget to retrieve the inode from the NFS file handle
> is probably a good idea when all other options fail. However, I am
> concerned that this may add security holes.
What do you mean "add"? 1/2 :-) NFS client machines are already trusted
with the file privs of any luser (root as well if the fs is exported
with no_root_squash). Since the client does all authentication, a
bad client can assume any and all UID's and GID's. This renders most
protections useless.
> What is to stop an attacker from generating bogus NFS filehandles
> containing inode numbers of files that would otherwise not be accessable?
> At the very least, I would think a check of the parent directories'
> permissions would be a good idea?
If the volume is exported with root_squash (the default), and a file to be
protected is under a root-owned, 711-perms directory, a bad client can still
race to try all possible filehandles before it crashes the server by
filling / with error notices... (if indeed such notices are generated)
> Or am I just silly in thinking that a server exporting NFS partitions
> has any semblance of security?
Probably.
Keith