Subject: Re: nfs - export file
To: Nathan J. Williams <nathanw@MIT.EDU>
From: John Franklin <franklin@elfie.org>
List: tech-security
Date: 09/25/2001 14:06:14
On Tue, Sep 25, 2001 at 12:10:47PM -0400, Nathan J. Williams wrote:
> In reality, an attacker could access any of the exported filesystems
> with options permitted by the least restrictive of the exports.
>
> The NFSv2 spec is RFC 1094, NFSv3 is 1813, and I'm ignoring NFSv4
> because it doesn't really exist in the market yet. The details are in
> there.
Are you saying that the NFS export ID can't be and/or isn't encoded in
the NFS filehandle? Or the client IP (to prevent shared FHs?) Or any
other security token? Say, hash the filehandle with a secret number
held by the server, and include the last 4-8 bytes in the file handle?
It should be trivial to allow different options on NFS exported
filesystems.
jf
--
John Franklin
franklin@elfie.org
ICBM: N37 12'54", W80 27'14" Z+2100'