11.04.2012 22:20, J. Bruce Fields написал:
Suppose you export subtree /export/foo of filesystem /export to a
client, that client can also easily access anything else in /export; all
it hsa to do is guess the filehandle of the thing it wants to access (or
just guess filehandle of /export itself; root filehandles are likely
especially easily to guess), and then work from there.
I see.
So, if I undertand you correctly, filesystem to export should be not
only one per server, but also should not consist or any other files,
which are not allowed to export.
Currently, in OpenVZ we have kernel threads per container. Thus even
kernel threads are in "chroot jail".
But I'll check, do we have such vulnerability.
Thank you.
(There's a workaround: you can set the subtree_check option. That
causes a number of problems (renaming a file to a different directory
changes its filehandle, for example, so anyone trying to use it while it
gets renamed gets an unexpected ESTALE). So we don't recommend it.)
So if all the containers are sharing the same filesystem, then anyone
exporting a subdirectory of its own filesystem has essentially granted
access to everyone's filesystem.
For that reason it's really only recommended to export separate
filesystems....
Thanks. Anyway, we are going to get rid of "chroot jails" and replace
them by separated loop device.
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html