Casper.DikHOLLAND.SUN.COM

• Next message: Darren J Moffat: "Re: SunSHIELD BSM and SSH"
• Previous message: Casper Dik: "Re: SunSHIELD BSM and SSH"
• In reply to: Frazier, Thomas: "Is fsirand still needed?"
• Next in thread: Keith A. Watson: "Re: Is fsirand still needed?"
• Reply: Casper Dik: "Re: Is fsirand still needed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>Fsirand is a utility to install random inode generation numbers for all
>inodes of a particular device. This is useful because it makes prediction
>of the inodes sequences difficult. Newfs (at least in Solaris8 and I am
>guessing in 2.7 and maybe 2.6????) incorporates the functionality of fsirand
>whenever it makes a new filesystem.

It wa part of newfs ieven in SunOS 3 or later days. The functionality
was merged into newfs somewhere early in Solaris 2.x (so you need to
write all inodes just once and not twice)

Since Solaris 2.6 all file accesses are checked against credentials
(i.e., in the typical case, the inet address is verified against the
export list). Guessing or storing filehandles has become completely
pointless with 2.6.

>So my question is, does periodically running fsirand on a filesystem that
>already has random generation numbers add any security or is it just a pain
>in my side?

It's a pain in yoru side for two reasons:

        - you need to off-kline the filesystem
        - all clietns need to unmoutn and remount (Stale file handles
          galore)

[ Please junk the vcard ]

• Next message: Darren J Moffat: "Re: SunSHIELD BSM and SSH"
• Previous message: Casper Dik: "Re: SunSHIELD BSM and SSH"
• In reply to: Frazier, Thomas: "Is fsirand still needed?"
• Next in thread: Keith A. Watson: "Re: Is fsirand still needed?"
• Reply: Casper Dik: "Re: Is fsirand still needed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]