mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 16:18:45 +02:00
2a83ffc557
NFS clients may bypass restrictive directory permissions by using open_by_handle() (or other available OS system call) to guess the filehandles for files below that directory. In order to harden knfsd servers against this attack, create a method to sign and verify filehandles using SipHash-2-4 as a MAC (Message Authentication Code). According to https://cr.yp.to/siphash/siphash-20120918.pdf, SipHash can be used as a MAC, and our use of SipHash-2-4 provides a low 1 in 2^64 chance of forgery. Filehandles that have been signed cannot be tampered with, nor can clients reasonably guess correct filehandles and hashes that may exist in parts of the filesystem they cannot access due to directory permissions. Append the 8 byte SipHash to encoded filehandles for exports that have set the "sign_fh" export option. Filehandles received from clients are verified by comparing the appended hash to the expected hash. If the MAC does not match the server responds with NFS error _STALE. If unsigned filehandles are received for an export with "sign_fh" they are rejected with NFS error _STALE. Signed-off-by: Benjamin Coddington <bcodding@hammerspace.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> |
||
|---|---|---|
| .. | ||
| client-identifier.rst | ||
| exporting.rst | ||
| index.rst | ||
| knfsd-stats.rst | ||
| localio.rst | ||
| nfs41-server.rst | ||
| nfsd-io-modes.rst | ||
| nfsd-maintainer-entry-profile.rst | ||
| pnfs.rst | ||
| reexport.rst | ||
| rpc-cache.rst | ||
| rpc-server-gss.rst | ||