[216] in linux-security and linux-alert archive
Re: randomizing filehandles: why not use fsirand?
daemon@ATHENA.MIT.EDU (Ian Jackson)
Sat Apr 22 06:44:26 1995
Date: Wed, 19 Apr 95 12:02 BST
From: iwj10@cus.cam.ac.uk (Ian Jackson)
To: linux-security@tarsier.cv.nrao.edu
[mod: If people wish to discuss this issue further with Peter and Ian,
I suggest you take it to private email. --okir]
"Peter Bouthoorn" writes ("randomizing filehandles: why not use fsirand?"):
> I've wondered why noone (to my knowledge) has suggested to write
> a tool similar to fsirand. Fsirand randomizes all inode numbers
> on a system, which makes guessing file handles a little harder.
> Of course the randomization used in such a tool should be
> "really random", so that we don't end up with the same problem
> as SunOS: the random element used in fsirand wasn't random enough.
> Comments anyone?
This is a horrible hack. Why should I fragment my filesystems' inode
maps, not to mention take the system down to do it ?
Furthermore, it provides only very weak protection. It won't stop an
exhaustive search, nor will it help very much with the general
security problems with NFS. It won't prevent an attack by an insider
who can ls -i files.
If you really want to do this, why not use a keyed hash to `sign' the
filehandle, so that the server can tell whether it generated a
filehandle or not ? MD5 generates 128-bit hashes, which would be half
of a 32-byte filehandle.
It'll break your clients whenever you change the secret, but it's
probably better than nothing even if you never do so.
Ian.
