Subject: Re: exporting -ro nfs
To: None <>
From: Bill Studenmund <>
List: tech-kern
Date: 01/26/2007 20:35:31
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Fri, Jan 26, 2007 at 02:53:42PM -0500, wro=
> >On Fri, Jan 26, 2007 at 06:46:36AM -0500, Thor Lancelot Simon wrote:
> >>On Thu, Jan 25, 2007 at 09:07:27PM +0100, Pavel Cahyna wrote:
> >>>=20
> >>> Could nullfs encrypt the filehandles of the underlying filesystem and=
> >>> those encrypted filehandles for NFS?
> >>
> >>What should actually happen is what e.g. Solaris does: the filehandle
> >>given to the client should *always* be generated from the exported
> >>directory and underlying filesystem specific data, rather than the
> >>underlying data alone. This would allow export of arbitrary directories
> >>with different permissions.
> >>
> If I understand what you are suggesting, it can result in multiple file
> handles/file when there are multiple hard links to a file. Although this
No. File handles within an fs will still be used in the same way. We will=
just have a different mapping between the file system specific info and=20
the on-wire NFS file handle.
> seems to be permitted for NFSv3 and NFSv4.0, it causes problems for clien=
> (See a recent thread titled "RE: Finding Hardlinks" in the email archive
> at They are going to try and "fix" the problem for NFSv4=
> If you avoid having multiple handles/file, you can encrypt the filehandle,
> but that still doesn't provide a lot of security, since a "bad guy" can
> simply replay the filehandle. Since filehandles are T stable (ie. valid f=
> a very long time), they can't be expired and so replay becomes a no brain=
True, but that's not the threat model we're worried about. We're worried=20
about file handles being used via a mount point other than the one that=20
reported it to the client.
Take care,
Content-Type: application/pgp-signature
Content-Disposition: inline
Version: GnuPG v1.4.3 (NetBSD)