Subject: Re: NFS and reserved ports
To: Jonathan Stone <jonathan@DSG.Stanford.EDU>
From: Frank van der Linden <>
List: tech-security
Date: 03/25/1997 11:01:03
Quoting Jonathan Stone,

> But the behaviour of checking mount requests and not the actual RPCS
> is broken. Why don't we *fix* it?  We could change the NFS server to
> check the ACLs for each NFS RPC, rather than just checking the mount
> requests?  (Or if it's ``too slow'', adding an option to do the
> checks, defaulting to "do the /exports ACL checks".)

The current code does do some checks. For each RPC (to be more precise:
for each filehandle to vnode conversion) a check is done. The information
from the exports file is mirrored (not completely, but..) inside the
kernel; each mountpoint has a list of hosts it is exported to and
associated flags. This is checked, at least for FFS filesystems,
but that is what we're talking about here. And with the latest changes,
the source port is also checked each time.

- Frank