On Fri, Apr 26, 2013 at 06:52:55PM +0100, Ian Collier wrote:
>
> Opening the file with O_CREAT|O_EXCL is a solid defense against the
> first two attacks in almost all common cases except when the temp
> filesystem is mounted over NFSv2.
NFSv2 has more problems than you might imagine.
Open with O_CREAT|O_EXCL can fail EEXIST even when the file didn't
exist and no other systems are involved. All it takes is for the
response to be timed out - the retry fails because the original
request created the file.
I hit that problem doing 'cp -r' and getting mkdir failing EEXIST,
in my case caused by the target taking a long time to respond due
to flash erases (and the initiator assuming constant RTT).
In general, NFSv2 has the following properties:
1) If you export part of a filesystem, you export all of it.
2) If you give anyone read access you give everyone read access.
3) If you give anyone write access you give everyone write access.
Most of that is because the permission checks are done by the
mount protocol - and then assume the client obeys the rules.
(2) Requires a file handle be generated - this used to be very easy!
David
--
David Laight: da...@l8s.co.uk
