To: Jesse Pollard <jesse@cats-chateau.net>
Cc: Stephan von Krawczynski <skraw@ithnet.com>, root@chaos.analogic.com,
       helgehaf@aitel.hist.no, linux-kernel@vger.kernel.org
Subject: Re: FS: hardlinks on directories
References: <20030804141548.5060b9db.skraw@ithnet.com>
	<Pine.LNX.4.53.0308050916140.5994@chaos>
	<20030805160435.7b151b0e.skraw@ithnet.com>
	<03080510020503.05972@tabby>
From: Trond Myklebust <trond.myklebust@fys.uio.no>
Date: 05 Aug 2003 17:44:06 +0200
In-Reply-To: <03080510020503.05972@tabby>
Message-ID: <shsk79s6reh.fsf@charged.uio.no>
User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.4 (Honest Recruiter)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1221
Lines: 21

>>>>> " " == Jesse Pollard <jesse@cats-chateau.net> writes:

     > You do have to remember that any NFS export gives IMPLICIT
     > access to the entire filesystem (it is the device number that
     > is actually exported). If the attacker can generate
     > device:inode number, then that file reference can be opened. I
     > haven't read/seen anything yet that has said different.

Not entirely true. The default under Linux is to enable subtree
checks. This means that knfsd must establish that the file being
accessed lies within a subtree the head of which is the export point.
This wreaks havoc with cross-directory renames etc, so a lot of people
disable it, however it is a slightly safer default...

Of course if you start playing with the idea of hard linked
directories then subtree checks are no longer an option as the path
connecting an export point and the file is no longer guaranteed to be
unique (and some paths may not even be finite).

Cheers,
  Trond
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/