Subject: Re: NFS and reserved ports
To: Perry E. Metzger <perry@piermont.com>
From: Jonathan Stone <jonathan@DSG.Stanford.EDU>
List: tech-security
Date: 03/24/1997 16:12:12
Rick Macklem writes:
[der mouse wrote:]
>>
>> They serve two functions: (1) to permit proper ESTALE errors on clients
>> when appropriate and (2) to make file handles hard to guess de novo.
>>
>> It might be worth noting that generation numbers were meant for (1) and
>> not (2). The latter is a recent hoax that, IMHO, does very little if
>> anything for security. Yea, I've seen what CERT says, but I don't buy it.
Perry Metzger replies:
>Well, it might be a hoax, but its the only security NFS has. If you
>can guess a handle, you don't even need to be on the list of clients
>allowed to touch a machine's file systems.
>I do not disagree that NFS security is low, however, without random
>generation numbers, it doesn't exist at all -- anyone on the internet
>can grab your files.
Well, there's always firewalls. Not everyone uses one.
But the behaviour of checking mount requests and not the actual RPCS
is broken. Why don't we *fix* it? We could change the NFS server to
check the ACLs for each NFS RPC, rather than just checking the mount
requests? (Or if it's ``too slow'', adding an option to do the
checks, defaulting to "do the /exports ACL checks".)
That would have a far higher security payback than simply
checking that each RPC request comes from a privileged port.
We would have to keep the ACLs in the kernel, but we could have mountd
write the up-to-date ACLs into the kernel each time it noticed
/etc/exports has changed, which is probably `good enough' for most NFS
usage.