Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp484348pxb; Thu, 14 Jan 2021 10:31:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwFWOR5hfZ3+0w/xS3Ti5qG+hqHm6k5lY6xpPYVbrt1Sl1z4eKZrPk44+LZiltCb9szeSOe X-Received: by 2002:a17:906:4c55:: with SMTP id d21mr6277249ejw.116.1610649099828; Thu, 14 Jan 2021 10:31:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610649099; cv=none; d=google.com; s=arc-20160816; b=lNKNeDN0l9PUjl3JNv+lxOG3IAuiH8L6cZqkc6waaam3D80cHAHIuruHMjx9cMUtr9 6qZrV/jC9yl4m3/L+s8g6jiKbjTipbVlK1aIgqAlbKkX6FWVwQFYPFGVlAKtESkMA0sK jSGnEWRtKMnJ1a7hXzvdLh76nlrNm0i7vhTzG2mptZNFJqToS58zetJZVtFMC3ML/OgW AB6qzPQKtaMDTApGLM3GDimhdwKRcOMps321EsCCZcucFm0YJHXVljfS3N4A2rwBUEHC iKXOCR5XxoKjXyBfLIprGfXw1tRR9Dd5zYvBQvt9xU31qIHtFCCglYU1tU2EWK0FiSKY Tklg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=8BchT47wA8A8/MNzwX06f7KnYw8kCTPmyqyEJptLgPg=; b=ekffuKpisEfjXdtTDICzkVZGmzYOu+DcjZiBLw1HEsr2W25J1J79lJgum7pcPt7S0P UzE8pZJOe/dafEIvX48Ba3Auc8Felcl0S69Jfhe6axTmHCWQnLkwxip58orRw9Cip12Z R0nwHpCmUZhlXkspEUC9/3x2M5Zw5JaPffT+Lj85l+ApmdEJ6BRcsKSnbmoN2g79tLcH mU3+Q30cnzmRewO67nEhCuZHgsNWGLhLek4B5/+aopn4XzvYpLodrqsRfgEyXWp7rSSf 6dsGKkBAHQQvVyevTrzXwy+SGdrZQwu/aUo17sfQPEozQO0HL0LZqW0VotO1B//lu3sr dufw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b="W92nAPQ/"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z27si1543183ejf.110.2021.01.14.10.31.16; Thu, 14 Jan 2021 10:31:39 -0800 (PST) Received-SPF: pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=google header.b="W92nAPQ/"; spf=pass (google.com: domain of linux-nfs-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726492AbhANSa6 (ORCPT + 99 others); Thu, 14 Jan 2021 13:30:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60752 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726395AbhANSa6 (ORCPT ); Thu, 14 Jan 2021 13:30:58 -0500 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 788CCC061575 for ; Thu, 14 Jan 2021 10:30:17 -0800 (PST) Received: by mail-lj1-x22a.google.com with SMTP id n8so7582380ljg.3 for ; Thu, 14 Jan 2021 10:30:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8BchT47wA8A8/MNzwX06f7KnYw8kCTPmyqyEJptLgPg=; b=W92nAPQ/rqraGSYVKN2y2UoLHCe513pUo7DJq9bG5CwaOo1zjp0LAY4E6GQOK4I3+W X4H8tBbhuskKKlvhZgkp9pHMotyUucLw684F2rrtfDUT9qCnzF4ENod/nMi8PBqxN6rm FjR7DVssNneOQJvwQmgDSbe5b5FI1O2G+g6kU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8BchT47wA8A8/MNzwX06f7KnYw8kCTPmyqyEJptLgPg=; b=SQro2Ut+Jylm981TgsE5PF2bs6MJ7iOOvJPLpsHUih/5lqgKkK1oa8QvFWUYZEWl31 LwKCdS67w4zZCIaM64eAXSYQxD1M3DX9i7ch4Aph5fSOtq2ALCSEp2OcfVOYGssdYkGQ xBGoYi7d8yQmfY+NwhuT3uSCf5faeizwYF+WuZfDXncWmpFMac58A3EH4j/p9xvJqWRg 1MIQRABcXbgLPXnJqU1PX8P6peA0PpkIuQs6KYIeEO882uxXYaAL1tfTv3gIicDMZNTd SMXE4tYZ9kZ/+51OIUvrPAIXKiLcvFaBl4BxcoQUw9KH26Tcr3AtBrGo25o8CXFfpDXq T0OA== X-Gm-Message-State: AOAM531Twxe5YOPIozJXrwsRAu22pzFmvlJiqGRJlAMl/lWhVdNmCnYC zXM0QkqYpB3o1bIhTt6co56AyiR1t7+TnQ== X-Received: by 2002:a2e:804a:: with SMTP id p10mr3897221ljg.295.1610649015592; Thu, 14 Jan 2021 10:30:15 -0800 (PST) Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com. [209.85.208.172]) by smtp.gmail.com with ESMTPSA id 186sm536823ljf.21.2021.01.14.10.30.13 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 14 Jan 2021 10:30:13 -0800 (PST) Received: by mail-lj1-f172.google.com with SMTP id f17so7539038ljg.12 for ; Thu, 14 Jan 2021 10:30:13 -0800 (PST) X-Received: by 2002:a2e:9b13:: with SMTP id u19mr3548352lji.48.1610649013467; Thu, 14 Jan 2021 10:30:13 -0800 (PST) MIME-Version: 1.0 References: <20210108154230.GB950@1wt.eu> <20210111193655.GC2600@fieldses.org> <20210112153208.GF9248@fieldses.org> <8296b696a7fa5591ad3fbb05bfcf6bdf6175cc38.camel@hammerspace.com> <96aea58bde3fe4c09cccd9ead2a1c85eb887d276.camel@hammerspace.com> <74269493859fa65a7f594dadd5d86c74bd910e66.camel@hammerspace.com> <20210114180758.GB3914@fieldses.org> In-Reply-To: <20210114180758.GB3914@fieldses.org> From: Linus Torvalds Date: Thu, 14 Jan 2021 10:29:57 -0800 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: nfsd vurlerability submit To: "bfields@fieldses.org" Cc: Trond Myklebust , "linux-nfs@vger.kernel.org" , "chuck.lever@oracle.com" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Thu, Jan 14, 2021 at 10:08 AM bfields@fieldses.org wrote: > > I dug around a bit and couldn't find the idea of using filehandle > guessing plus mountd's following of symlinks to get access to other > filesystems. That's kind of interesting. [ Other people removed from cc, this is just a question about nfsd cleanliness ] I missed if Trond's suggestion to at least fix up ".." to have the same filehandle as "." for the top export directory was done. Because honestly, the whole "guessing file handles is easy" argument doesn't seem to cover the case that the client just does something wrong _by_mistake_, and this ends up then exposing the server unnecessarily that way. It's one thing if you have an actively malicious client that is controlled by an attacker and that then makes up its own file handles. It's another thing if you have a (benign) client that can be fooled to access files on the server that it shouldn't have. So I think that from a pure cleanliness standpoint, the server shouldn't give the client a file handle that the client mustn't actually ever use! It's just a recipe for "oops, I didn't mean to do something bad, but by mistake..." Hmm? Linus