On Sunday 08 July 2007, Al Viro wrote: > On Sun, Jul 08, 2007 at 12:37:48PM +0000, Pavel Machek wrote: > > I'm talking malicious _filesystems_ here, and yes, fuse is first of > > this kind. We want to handle unresponding NFS, but I believe handling > > malicious NFS server nicely is slightly out of scope. > > If your variant doesn't handle compromised NFS server, your variant is > needs to be fixed... That would depend on the type of compromise, right? Remember that the fundamental contract between a client and a server includes the client extending some trust to that server. Whether it's appropriate to extend that trust (at any given moment) is an out-of-band security issue. Trust is not a protocol issue ... more like an operational issue, and only slightly an implementation issue. A malicious filesystem could do many things. It could send private data off to someone who wasn't intended to receive that data. It could return falsified data. It could do any variety of things outside the protocol specification... And *MOST* of those would be impractical to defend against in code. Which is why I have such a hard time agreeing with your comment about "fixing" a client that doesn't try to defend itself. (Unless by "client" you also include the whole operational side of the client, including regular re-validation of the trust extended to that server... which would at best minimize damage caused by compromises.) _______________________________________________ linux-pm mailing list linux-pm@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/linux-pm
