No File Security 287
is an exercise left to the reader.) But this hack doesn’t work over
NFS. The stateless protocol doesn't know that the file is “opened” —
as soon as the file is deleted, it's gone.
NFS Hack Solution #3: When an NFS client deletes a file that is
open, it really renames the file with a crazy name like
“.nfs0003234320” which, because it begins with a leading period,
does not appear in normal file listings. When the file is closed on the
client, the client sends through the Delete-File command to delete
the NFS dot-file.
Why the hack doesn’t work: If the client crashes, the dot-file never
gets deleted. As a result, NFS servers have to run nightly “clean-up”
shell scripts that search for all of the files with names like
“.nfs0003234320” that are more than a few days old and
automatically delete them. This is why most Unix systems suddenly
freeze up at 2:00 a.m. each morning—they’re spinning their disks
running find. And you better not go on vacation with the mail(1)
program still running if you want your mail file to be around when
you return. (No kidding!)
So even though NFS builds its reputation on being a “stateless” file system,
it’s all a big lie. The server is filled with state—a whole disk worth. Every
single process on the client has state. It’s only the NFS protocol that is
stateless. And every single gross hack that’s become part of the NFS “stan-
dard” is an attempt to cover up that lie, gloss it over, and try to make it
seem that it isn’t so bad.
No File Security
Putting your computer on the network means potentially giving every pim-
ply faced ten-year-old computer cracker in the world the ability to read
your love letters, insert spurious commas into your source code, or even
forge a letter of resignation from you to put in your boss’s mailbox. You
better be sure that your network file system has some built-in security to
prevent these sorts of attacks.
Unfortunately, NFS wasn’t designed for security. Fact is, the protocol
doesn’t have any. If you give an NFS file server a valid handle for a file,
the server lets you play with it to your heart’s content. Go ahead, scribble
away: the server doesn’t even have the ability to log the network address of
the workstation that does the damage.