On Fri, Jan 26, 2007 at 04:31:08PM -0500, der Mouse wrote:
> > The mountd won't respond to a mount request for /usr unless "alldirs"
> > was specified, but it is true that a "bad guy" could guess/replay a
> > file handle for /usr and go from there.
> 
> I think it's actually worse than that; given a file handle for
> /usr/foo/bar/blee, someone not running normal client code could do ..
> lookups to walk up as far as the server will permit (which usually
> means, to the mount point on the server - /usr in this case).
> 
> It's been a while since I had my hands dirty with NFS, but I'm pretty
> sure that's how it generally works.

Certainly when I had some NFS code on the operating table the following were true:
1) If you give access to part of a file system, you give access to all of it.
2) If you give anyone read access you give everyone read access.
3) If you give anyone write access you give everyone write access.

(1) was true because you can fake file handles (harder now that inode generation
    numbers are likely to be random).
(2) and (3) were true because they were only verified my mountd.

	David

-- 
David Laight: david@l8s.co.uk