Re: nfs_mount in AIX

[jfh () rpp386 cactus org (John F. Haugh II)]

> Here's a little additional information.....  the nfs_mount routine does its
> work through the vmount() system call, which is documented.  If this is a
> security hole at all, then it's because it would let an attacker mount a
> remote filesystem under his control onto a world-readable directory like
> /tmp or /var/preserve, and thereby grab a copy of everything that was
> written to that directory.  Anybody want to write a test program?
>
> nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives
> (since it's just a subroutine anyway) aside from a simpler interface.

Each VFS type has its own mount functionality.  So permission to mount
is potentially handled differently for each VFS.  Just because the bug
exists in NFS doesn't mean it exists for JFS (it doesn't, I looked ;-)

I have passed this on to the NFS folks and gotten a commitment to do a
bug fix.  I'll pass this concern along to the rest of the filesystem
people so that the LFS people are aware that a more global problem may
exists WRT non-NFS, non-JFS mounts.
-- 
John F. Haugh II  [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ]   @'s: jfh () rpp386 cactus org