Subject: Re: devfs (was Re: Not updating device file inode change times)
To: Todd Vierling <firstname.lastname@example.org>
From: Stefan Grefen <email@example.com>
Date: 09/07/1998 10:13:48
In message <Pine.NEB.firstname.lastname@example.org> Todd Vierling wrote:
> [thread copied to tech-security since I'm explaining the pitfalls of a
> NFS-mounted /dev]
> On Sun, 6 Sep 1998, Stefan Grefen wrote:
> : > Real
> : > device nodes on a NFS-mounted /dev are, as said before, dangerous and a
> : > serious security risk.
> : But than a file just doesn't help here, or you have to authenticate the file
> : with secret ...
> Authentication isn't the problem. The problem is device nodes which have
> the "wrong" major and minor on the NFS _server_.
By accident, but than this accident can be made to happen. It's not too
difficult to put yourself between an NFS client and server, fake a
the response and send arbitrary inodes (devices ...) to the client.
NFS is insecure, so the only option is to mount nodev.
> One way of helping is by providing a mechanism by which plain files on the
> NFS server can become device nodes - sort of like a "rose colored
> sunglasses" layer filesystem. The filesystem would just translate files via
> some not yet determined mechanism, both on read/write and inode
I think it's not worth the effort to do it just for nfs, to add persistence to
/devfs it is different issue.
> I'm actually quite surprised to learn that our NFS implementation doesn't
> support a `nomknod' export option, either. I'm submitting a PR on that one.
OOps, so the server should mount -nodev for now too.
> -- Todd Vierling (Personal email@example.com; Bus. firstname.lastname@example.org)
Stefan Grefen Tandem Computers Europe Inc.
email@example.com High Performance Research Center
--- Hacking's just another word for nothing left to kludge. ---