Re: [RFC PATCH 2/3] vfs: Add open by file handle support

["J. Bruce Fields" <bfields@fieldses.org>]

On Sat, Feb 20, 2010 at 11:58:34AM -0700, Andreas Dilger wrote:
> On 2010-02-18, at 22:42, Aneesh Kumar K.V wrote:
>> +long do_sys_open_by_handle(int dfd, struct file_handle *fh, int  
>> flags)
>> +{
>> +	if (!capable(CAP_SYS_ADMIN))
>> +		/* Allow open by handle only by sysadmin */
>> +		return -EPERM;
>
> Hmm, I guess this avoids some of the security concerns, but makes it a  
> lot less useful.  I was thinking this could be used for e.g. user NFS  
> serving or such, but if it is limited to root only then you might as  
> well just set up the in-kernel NFSd.  By making the handle hard to forge 
> (e.g. generate random key per superblock, sha1(ino+gen+key) and store 
> that into fh; someone with more security experience can think of a better 
> scheme) then you can reasonably safely dispense with the CAP_SYS_ADMIN 
> check because you can be sure that the proper path traversal has been 
> done by a trusted process and there is no more exposure than unix socket 
> fd passing.

The problem with filehandles is that they never die; they have to
survive essentially indefinitely, even across server reboots.

A file descriptor has a better-defined lifetime.

A "secret" that can never be expired doesn't strike me as a very good
secret.

--b.