[Dovecot] I stream read - stale NFS file handle (reboot of server)

Edgar Fuß ef at math.uni-bonn.de
Sun Mar 28 23:35:50 EEST 2010


I must admit getting somewhat tired of this discussion, but I simply don't want people investigating the original problem being distracted.

EF> I'm a bit surprised by this. Which "discussion group"?
DA> The RFC, one for NFSv4.0
Oh, you mean you posted to nfs4 at ietf.org? Oh yes, http://www.nfsv4.org/nfsv4-wg-archive-dec-96-jan-03/author.html confirms this.

DA> Yes the spec says this, and at first everyone implemented it this
DA> way, and then everyone changed it due to Security issues, maybe
DA> no-one went back and updated the spec. The FileSystemHandle (ie File
DA> Handle at the top of exported file system) is now changed on
DA> every-reboot, unless your in a Cluster configuration.
OK, you are suggesting that the designers of the NFS protocol went into great lengths making NFS immune to server crashes by making the operations idempotent and the protocol stateless; then the designers of the NLM protocol went into great lenghts making locking immune to server crashes by idempotent operations, introduction of the stat deamon and the locking deamon grace period -- and then later, they break all this for what you call "security reasons" and forget updating the protocol specification? Really?

DA> The specs had problems
Ah yes.

DA> but then you may have more security issues.
EF> Could you please elaborate on this "secutity issues"?
DA> NFSD (v2/3) is stateless and trusts the security information (UDP,
DA> RPC requests using AUTH_UNIX) from the NFS client. [...]
I'm quite aware of all this. What I was asking for were those "security issues" that you claim to be solved by randomizing the inode-to-filehandle-relationship on every server reboot.

I think you are confusing inode generation number randomization with NFS file handles. Randomizing generation numbers makes file handles much harder to guess, addressing the security issues you mention. But generation numbers are part of the on-disk inode and so don't change on server reboots. They don't need in order to address the security issues. But changing the inode-to-fiilehandle relation on reboots would break NFS's immunity to server crashes. And it would break it for no reason whatsoever.


More information about the dovecot mailing list