Subject: Re: devfs (was Re: Not updating device file inode change times)
To: Stefan Grefen <grefen@hprc.tandem.com>
From: Todd Vierling <tv@pobox.com>
List: tech-security
Date: 09/06/1998 23:46:16
[thread copied to tech-security since I'm explaining the pitfalls of a
NFS-mounted /dev]

On Sun, 6 Sep 1998, Stefan Grefen wrote:

: > Real
: > device nodes on a NFS-mounted /dev are, as said before, dangerous and a
: > serious security risk.
: 
: But than a file just doesn't help here, or you have to authenticate the file
: with secret  ...

Authentication isn't the problem.  The problem is device nodes which have
the "wrong" major and minor on the NFS _server_.

Just a straw example:  You log into a NetBSD/arm32 NFS client on the
console.  The NFS server is NetBSD/alpha.  So the arm32 client's
/dev/console, device 2,0, becomes your uid and readable and writable by you.  
Log into the alpha server and do reads from /export/somebox/dev/console, and
be very surprised by the fact that you're reading the Alpha's /dev/mem!  
(Remember that the device node is also _writable_ by your uid.)

This device number inconsistency is a bug in the _best_ case.  When you
bring non-NetBSD systems into the picture, it's just plain dumb.

One way of helping is by providing a mechanism by which plain files on the
NFS server can become device nodes - sort of like a "rose colored
sunglasses" layer filesystem.  The filesystem would just translate files via
some not yet determined mechanism, both on read/write and inode
creation/modification.

I'm actually quite surprised to learn that our NFS implementation doesn't
support a `nomknod' export option, either.  I'm submitting a PR on that one.

-- 
-- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)