From mboxrd@z Thu Jan  1 00:00:00 1970
From: "J. Bruce Fields" <bfields@fieldses.org>
Subject: Re: [RFC PATCH 2/3] vfs: Add open by file handle support
Date: Fri, 26 Feb 2010 14:24:36 -0500
Message-ID: <20100226192436.GC23556@fieldses.org>
References: <1266558149-11460-1-git-send-email-aneesh.kumar@linux.vnet.ibm.com> <1266558149-11460-3-git-send-email-aneesh.kumar@linux.vnet.ibm.com> <AD5A6061-9B7B-4B29-A458-822E781C2588@sun.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>,
	hch@infradead.org, viro@zeniv.linux.org.uk,
	linux-fsdevel@vger.kernel.org
To: Andreas Dilger <adilger@sun.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from fieldses.org ([174.143.236.118]:55323 "EHLO fieldses.org"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S965850Ab0BZTXl (ORCPT <rfc822;linux-fsdevel@vger.kernel.org>);
	Fri, 26 Feb 2010 14:23:41 -0500
Content-Disposition: inline
In-Reply-To: <AD5A6061-9B7B-4B29-A458-822E781C2588@sun.com>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Sat, Feb 20, 2010 at 11:58:34AM -0700, Andreas Dilger wrote:
> On 2010-02-18, at 22:42, Aneesh Kumar K.V wrote:
>> +long do_sys_open_by_handle(int dfd, struct file_handle *fh, int  
>> flags)
>> +{
>> +	if (!capable(CAP_SYS_ADMIN))
>> +		/* Allow open by handle only by sysadmin */
>> +		return -EPERM;
>
> Hmm, I guess this avoids some of the security concerns, but makes it a  
> lot less useful.  I was thinking this could be used for e.g. user NFS  
> serving or such, but if it is limited to root only then you might as  
> well just set up the in-kernel NFSd.  By making the handle hard to forge 
> (e.g. generate random key per superblock, sha1(ino+gen+key) and store 
> that into fh; someone with more security experience can think of a better 
> scheme) then you can reasonably safely dispense with the CAP_SYS_ADMIN 
> check because you can be sure that the proper path traversal has been 
> done by a trusted process and there is no more exposure than unix socket 
> fd passing.

The problem with filehandles is that they never die; they have to
survive essentially indefinitely, even across server reboots.

A file descriptor has a better-defined lifetime.

A "secret" that can never be expired doesn't strike me as a very good
secret.

--b.