Subject: Re: exporting -ro nfs
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: George Georgalis <george@galis.org>
List: tech-kern
Date: 01/26/2007 14:01:14
On Fri, Jan 26, 2007 at 06:46:36AM -0500, Thor Lancelot Simon wrote:
>On Thu, Jan 25, 2007 at 09:07:27PM +0100, Pavel Cahyna wrote:
>> 
>> Could nullfs encrypt the filehandles of the underlying filesystem and use
>> those encrypted filehandles for NFS?
>
>What should actually happen is what e.g. Solaris does: the filehandle
>given to the client should *always* be generated from the exported
>directory and underlying filesystem specific data, rather than the
>underlying data alone.  This would allow export of arbitrary directories
>with different permissions.
>
>No, I am not volunteering to do this.  The code could possibly be lifted
>from a userspace NFS server such as amd, however.

I'm not sure of the technicals---that sounds reasonable.

But this whole thread makes me think a security advisory and man
page update is in order. if we have in exports

/usr/local/pub/sandbox -rw

and the /usr partition is a single filesystem. remote clients
have rw for anything in /usr --- that's my current understanding,
and I don't think this is apparent to most admins. When we export
directories with NFS, we are exposing the _entire_filesystem_ via
rpc, not just the directory specified in exports (even though
brute force is required to rw files outside sandbox).

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><