But who is our attacker?
If they have sufficient control of an IP address that they can fake up
NFS requests from that IP address, and if that IP address is trusted
by knfsd, then they had better be a good friend. Otherwise they can
simple mount the root of the filesystem (mountd trusts the same IP's
that knfsd trusts) and walk around the filetree changing their
AUTH_UNIX identity as required.
Given that linux knfsd only allows requests from known IP addresses, I
don't think randomness in the filehandle actually is needed at all
(this only fully occured to me after I sent my previous message).
The value of randomness (and fsirand) was for other NFS servers which
rely on mountd to do all authentication, and will accept NFS requests
from any IP address providing that the filehandle is valid.
The only filehandles that are not directly available to an authorised
client are handles for files inside directories for which x access has
been squashed (with root_squash or all_squash), and you have put code
in to (mostly) check for that.
So my new suggestion is : Don't bother with random file handles, it
doesn't add anything.
NeilBrown
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/