Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!uunet!convex!thurlow
From: thurlow@convex.com (Robert Thurlow)
Newsgroups: comp.protocols.nfs
Subject: Re: Why not export /fs /fs/subdir?
Message-ID: <thurlow.677210173@convex.convex.com>
Date: 18 Jun 91 01:56:13 GMT
References: <felps.676828666@convex.convex.com> <10199@star.cs.vu.nl> <SHIRONO.91Jun17112649@gcx1.ssd.csd.harris.com> <1991Jun17.224716.4729@Think.COM>
Sender: usenet@convex.com (news access account)
Organization: CONVEX Computer Corporation, Richardson, Tx., USA
Lines: 18
Nntp-Posting-Host: dhostwo.convex.com

In <1991Jun17.224716.4729@Think.COM> barmar@think.com (Barry Margolin) writes:

>/export/root/foo -access=foo,root=foo
>/export/root/bar -access=bar,root=bar

>While most NFS implementations won't allow foo to access bar's partition, a
>superuser on foo could easily write a program that sends fake NFS requests,
>and then access server:/export/root/foo/../bar.

/export/root/foo/.. is a directory vnode on the client machine, which
has no member 'bar' unless you've created one there.  Remember that
pathname lookups always happen one component at a time over NFS so that
a standard directory separator doesn't have to be defined.

Rob T
--
Rob Thurlow, thurlow@convex.com
An employee and not a spokesman for Convex Computer Corp., Dallas, TX