On Sat, Feb 20, 2010 at 11:58:34AM -0700, Andreas Dilger wrote:
> On 2010-02-18, at 22:42, Aneesh Kumar K.V wrote:
>> +long do_sys_open_by_handle(int dfd, struct file_handle *fh, int
>> flags)
>> +{
>> + if (!capable(CAP_SYS_ADMIN))
>> + /* Allow open by handle only by sysadmin */
>> + return -EPERM;
>
> Hmm, I guess this avoids some of the security concerns, but makes it a
> lot less useful. I was thinking this could be used for e.g. user NFS
> serving or such, but if it is limited to root only then you might as
> well just set up the in-kernel NFSd. By making the handle hard to forge
> (e.g. generate random key per superblock, sha1(ino+gen+key) and store
> that into fh; someone with more security experience can think of a better
> scheme) then you can reasonably safely dispense with the CAP_SYS_ADMIN
> check because you can be sure that the proper path traversal has been
> done by a trusted process and there is no more exposure than unix socket
> fd passing.
The problem with filehandles is that they never die; they have to
survive essentially indefinitely, even across server reboots.
A file descriptor has a better-defined lifetime.
A "secret" that can never be expired doesn't strike me as a very good
secret.
--b.
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
