Path: utzoo!utgpu!watserv1!watmath!att!linac!pacific.mps.ohio-state.edu!zaphod.mps.ohio-state.edu!think.com!barmar
From: barmar@think.com (Barry Margolin)
Newsgroups: comp.protocols.nfs
Subject: Re: Why not export /fs /fs/subdir?
Message-ID: <1991Jun18.040038.15141@Think.COM>
Date: 18 Jun 91 04:00:38 GMT
References: <SHIRONO.91Jun17112649@gcx1.ssd.csd.harris.com> <1991Jun17.224716.4729@Think.COM> <thurlow.677210173@convex.convex.com>
Sender: news@Think.COM
Reply-To: barmar@think.com
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 23

In article <thurlow.677210173@convex.convex.com> thurlow@convex.com (Robert Thurlow) writes:
>In <1991Jun17.224716.4729@Think.COM> barmar@think.com (Barry Margolin) writes:
>>While most NFS implementations won't allow foo to access bar's partition, a
>>superuser on foo could easily write a program that sends fake NFS requests,
>>and then access server:/export/root/foo/../bar.
>/export/root/foo/.. is a directory vnode on the client machine, which
>has no member 'bar' unless you've created one there.  Remember that
>pathname lookups always happen one component at a time over NFS so that
>a standard directory separator doesn't have to be defined.

What do vnodes have to do with anything?  My point about "fake NFS
requests" was that a user-written program could send the following RPC
operations (I'm using pseudocode, not precise representations of the
procedure calls):

	mount_handle = Mount("/export/root/foo");
	outer_handle = Lookup(mount_handle, "..");
	bar_handle = Lookup(outer_handle, "bar");
-- 
Barry Margolin, Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar