On Mon, Apr 16, 2018 at 11:52:03PM -0700, Christoph Hellwig wrote: > Also even if we have a good reason to add it I absolutely want a config > option for the feature - it is a lot code adding potential attack > vectors, so we should not just enabled it by default. By the way, am I forgetting some mitigation or can a client provide any address it wants as the source server to copy from? That opens up the server to a lot of the same risks you'd see from unprivileged NFS mounts--a malicious client could copy from a server under it's control that's modified to exploit bugs in the server's NFS client code. I wonder if there's also the possibility of weird results even without malicious intent: e.g. a user copying files between two different servers may unintentionally tie up resources on the target server. There's interest in enabling unprivileged NFS mounts to allow unprivileged containers to do NFS mounts. But even if we get to the point where we're comfortable enabling that, distributions may still want it off by default, and may advise admins to do firewalling that restricts the set of NFS servers that containers can mount. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
