On Thu, Jan 14, 2021 at 10:08 AM bfields@xxxxxxxxxxxx
<bfields@xxxxxxxxxxxx> wrote:
>
> I dug around a bit and couldn't find the idea of using filehandle
> guessing plus mountd's following of symlinks to get access to other
> filesystems. That's kind of interesting.
[ Other people removed from cc, this is just a question about nfsd cleanliness ]
I missed if Trond's suggestion to at least fix up ".." to have the
same filehandle as "." for the top export directory was done.
Because honestly, the whole "guessing file handles is easy" argument
doesn't seem to cover the case that the client just does something
wrong _by_mistake_, and this ends up then exposing the server
unnecessarily that way.
It's one thing if you have an actively malicious client that is
controlled by an attacker and that then makes up its own file handles.
It's another thing if you have a (benign) client that can be fooled to
access files on the server that it shouldn't have.
So I think that from a pure cleanliness standpoint, the server
shouldn't give the client a file handle that the client mustn't
actually ever use! It's just a recipe for "oops, I didn't mean to do
something bad, but by mistake..."
Hmm?
Linus
