On Sat, 21 Aug 2010 18:30:24 +1000
Nick Piggin <firstname.lastname@example.org> wrote:
They allow a credible user-space implementation of the server for some
network filesystem protocols such as NFS and apparently 9P.
I don't see what you are getting at here... which particular security isses,
and what fd would you use?
As I understand it there are only two security issues that have been noted.
1/ lookup-by-filehandle can bypass any 'search' permission tests on ancestor
directories. I cannot see any way to avoid this except require
2/ Creating a hardlink to an 'fd' allows a process that was given an 'fd'
that it could not have opened itself to prevent that file from being
removed (and space reclaimed) by creating a private hardlink.
This could be avoided by requiring CAP_DAC_READ_SEARCH for that particular
operation (and probably requiring i_nlink > 0 anyway) but that feels like
a very special-case restriction.
Was it one of these that you were referring to?