Subject: Re: devfs (was Re: Not updating device file inode change times)
To: Todd Vierling <tv@pobox.com>
From: Stefan Grefen <grefen@hprc.tandem.com>
List: tech-kern
Date: 09/07/1998 10:13:48
In message <Pine.NEB.4.02.9809062333030.27465-100000@duhnet.net>  Todd Vierling wrote:
> [thread copied to tech-security since I'm explaining the pitfalls of a
> NFS-mounted /dev]
> 
> On Sun, 6 Sep 1998, Stefan Grefen wrote:
> 
> : > Real
> : > device nodes on a NFS-mounted /dev are, as said before, dangerous and a
> : > serious security risk.
> : 
> : But than a file just doesn't help here, or you have to authenticate the file
> : with secret  ...
> 
> Authentication isn't the problem.  The problem is device nodes which have
> the "wrong" major and minor on the NFS _server_.

By accident, but than this accident can be made to happen. It's not too
difficult to put yourself between an NFS client and server, fake a 
the response and send arbitrary inodes (devices ...) to the client.

NFS is insecure, so the only option is to mount nodev.

[...]

> 
> One way of helping is by providing a mechanism by which plain files on the
> NFS server can become device nodes - sort of like a "rose colored
> sunglasses" layer filesystem.  The filesystem would just translate files via
> some not yet determined mechanism, both on read/write and inode
> creation/modification.

I think it's not worth the effort to do it just for nfs, to add persistence to
/devfs it is different issue.
> 
> I'm actually quite surprised to learn that our NFS implementation doesn't
> support a `nomknod' export option, either.  I'm submitting a PR on that one.

OOps, so the server should mount -nodev for now too.

Stefan
> 
> -- 
> -- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)
> 

--
Stefan Grefen                                Tandem Computers Europe Inc.
grefen@hprc.tandem.com                       High Performance Research Center
 --- Hacking's just another word for nothing left to kludge. ---