Subject: Re: FH munging
To: None <tech-kern@NetBSD.ORG>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 03/25/1997 21:19:38
>> What are inode generation numbers for?

>> They serve two functions: (1) to permit proper ESTALE errors on
>> clients when appropriate and (2) to make file handles hard to guess
>> de novo.

> It might be worth noting that generation numbers were meant for (1)
> and not (2).

True enough.  (And, not surprisingly, they do (1) very well and (2)
rather badly.)

> The latter is a recent hoax that, IMHO, does very little if anything
> for security.

In practice, I suspect you are right.  Certainly where I work, any host
that can talk to our NFS server is also in a position to sniff
filehandles, and none of this provides any defense against anyone who
can sniff filehandles.

> If FHs are hard to guess, then someone can just sniff one and go from
> there.

Well, not quite.  Hard-to-guess filehandles do provide some protection
against attackers who can talk to the nfsd but can't sniff traffic
to/from legitimate clients.  And unless you firewall, or run a system
with a sane nfsd (which I suspect cuts out most current vendor OSes),
that's most of the net.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B