Hi All,
We have a NFSV3 server (UDP) and NFSV3 clients. Now
when the permissions on a file are say rwx-----x
ie world executable, then none owners and non group
members can read the file as well as execute it?
This shouldn't be the case?
Are there any switches or anything on the server that
I need to configure?
Cheers
Dave
/-----------------------------------
David Shirley
System's Administrator
Computer Science - Curtin University
(08) 9266 2986
-----------------------------------/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
On Thursday April 18, [email protected] wrote:
> Hi All,
>
> We have a NFSV3 server (UDP) and NFSV3 clients. Now
> when the permissions on a file are say rwx-----x
> ie world executable, then none owners and non group
> members can read the file as well as execute it?
>
> This shouldn't be the case?
>
> Are there any switches or anything on the server that
> I need to configure?
>
I believe that this is a client issue (though it could possibly be a
server issue).
The server has to allow the client computer to read such a file so
that it can then execute it. However the client computer should
restrict client applications to only using "exec" on the file, not
"open".
When an application asks for an open(READ), the client should send an
ACCESS3 request to the server asking if that user has READ access.
The server will say "no" (at least the code looks like it should) and
the client should honour that.
What client OS are you using?
I seem to recall that there was a time when the Linux NFS client
didn't use ACCESS requests, but I think that has been fixed (but Trond
could say for sure).
It is all rather academic really. If you want to read a file that is
executable but not readable, you just execute it under ptrace control
and suck out whatever you want from the process.
NeilBrown
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs
>>>>> " " == Neil Brown <[email protected]> writes:
> The server has to allow the client computer to read such a file
> so that it can then execute it. However the client computer
> should restrict client applications to only using "exec" on the
> file, not "open".
mmap(/proc/<pid>/mem);
There isn't really a good way to restrict an application to only exec
the file. I believe you will find more reasons why Al & Linus have
refused to implement this if you trawl through the l-k archives.
> What client OS are you using? I seem to recall that there was
> a time when the Linux NFS client didn't use ACCESS requests,
> but I think that has been fixed (but Trond could say for sure).
ACCESS is unfortunately not yet fully implemented in any of the
existing Linux kernels. I still need to work on a good way to cache
the results.
At the moment we only check in order to try to overturn a false
negative on the permissions. Here we are talking about a false
positive.
Cheers,
Trond
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs