Subject: Re: exporting -ro nfs
To: Pavel Cahyna <pavel@netbsd.org>
From: Johnny Billquist <bqt@softjar.se>
List: netbsd-users
Date: 01/25/2007 21:23:59
Pavel Cahyna skrev:
> On Thu, Jan 25, 2007 at 09:17:16AM -0800, Bill Studenmund wrote:
>> The problem is that the NFS server code can't tell if a file handle
>> corresponds to a file under a given mount point or not when you have
>> multiple exposed mount points in one file system. So say you had one
>> directory in an fs exposed read-write and another read-only. If an 
>> attacker took a file handle from the r/o mount and used it via the r/w 
>> mount point, the corresponding file can be modified even though the 
>> initial layout would say it wouldn't.
>>
>> Null mounts don't change this as the file-system-specific part of our file 
>> handles are the same between a null mount and the underlying file system. 
>> So given a file handle from the null mount, you can figure out the file 
>> handle for the same file for the non-nullfs fs.
> 
> Could nullfs encrypt the filehandles of the underlying filesystem and use
> those encrypted filehandles for NFS?

Who cares? All you're doing is preventing users from having an easy way 
to find the file handle for a file. If someone really wants to, they can 
just brute-force it. The underlying problem is that the files are 
accessible r/w, even though you wanted them exposed r/o.
There is no easy way around that problem.

	Johnny