Rick Macklem writes:
      [der mouse wrote:]
>>    
>>    They serve two functions: (1) to permit proper ESTALE errors on clients
>>    when appropriate and (2) to make file handles hard to guess de novo.
>> 
>> It might be worth noting that generation numbers were meant for (1) and
>> not (2). The latter is a recent hoax that, IMHO, does very little if
>> anything for security. Yea, I've seen what CERT says, but I don't buy it.


Perry Metzger replies:

>Well, it might be a hoax, but its the only security NFS has. If you
>can guess a handle, you don't even need to be on the list of clients
>allowed to touch a machine's file systems.

>I do not disagree that NFS security is low, however, without random
>generation numbers, it doesn't exist at all -- anyone on the internet
>can grab your files.

Well, there's always firewalls.    Not everyone uses one.

But the behaviour of checking mount requests and not the actual RPCS
is broken. Why don't we *fix* it?  We could change the NFS server to
check the ACLs for each NFS RPC, rather than just checking the mount
requests?  (Or if it's ``too slow'', adding an option to do the
checks, defaulting to "do the /exports ACL checks".)

That would have a far higher security payback than simply
checking that each RPC request comes from a privileged port.

We would have to keep the ACLs in the kernel, but we could have mountd
write the up-to-date ACLs into the kernel each time it noticed
/etc/exports has changed, which is probably `good enough' for most NFS
usage.