> Here's a little additional information..... the nfs_mount routine does its > work through the vmount() system call, which is documented. If this is a > security hole at all, then it's because it would let an attacker mount a > remote filesystem under his control onto a world-readable directory like > /tmp or /var/preserve, and thereby grab a copy of everything that was > written to that directory. Anybody want to write a test program? > > nfs_mount is in librpcsvc.a, but offers nothing beyond what vmount() gives > (since it's just a subroutine anyway) aside from a simpler interface. Each VFS type has its own mount functionality. So permission to mount is potentially handled differently for each VFS. Just because the bug exists in NFS doesn't mean it exists for JFS (it doesn't, I looked ;-) I have passed this on to the NFS folks and gotten a commitment to do a bug fix. I'll pass this concern along to the rest of the filesystem people so that the LFS people are aware that a more global problem may exists WRT non-NFS, non-JFS mounts. -- John F. Haugh II [ NRA-ILA ] [ Kill Barney ] !'s: ...!cs.utexas.edu!rpp386!jfh Ma Bell: (512) 251-2151 [GOP][DoF #17][PADI][ENTJ] @'s: jfh@rpp386.cactus.org