[56] in linux-net channel archive
Re: Bernhard Heidegger: Re: NFS: security problem with root_squash ??
daemon@ATHENA.MIT.EDU (Daniel Bromberg)
Wed Feb 1 01:54:57 1995
To: linux-net@vger.rutgers.edu
Cc: nygren@mit.edu, kkeyte@koft.rhein-main.de, hdg@edvz.tu-graz.ac.at
In-Reply-To: Your message of Tue, 31 Jan 1995 16:20:59 -0500.
<199501312121.QAA26299@foundation.mit.edu>
Date: Wed, 01 Feb 1995 00:14:24 -0500
From: Daniel Bromberg <ddaniel@mit.edu>
On Tue, 31 Jan 1995, Bernhard Heidgger wrote:
> On Mon, 30 Jan 1995, Karl Keyte wrote:
>
> > I have just noticed a problem with NFS mounts. Perhaps it's me!
> > If I export a filesystem in /etc/exports with something like:
> >
> > /home someone(rw,insecure,root_squash)
> >
> > I understood that this should block the root user at host 'someone'
> > from having root access inside /home when mounted. It doesn't!
> > It lets that user do anything in that filesystem.
>
> This seems to be a bug in the nfsd code.
> I noticed this behavior 3 or 4 month ago, and checked the nfsd source
> (from slackware distribution)
> Following patch did the job for me; but I don't know, if I'm right and if
> the patch applies to all versions. I didn't apply this patch to the latest
> nfsd (2.0 I think). Be very careful!
> Maybe someone can review the patch.
I've reviewed it for nfs-server-2.0 (from tsx-11.mit.edu) The adaption
turns out to be very simple. Here's my diff for dispatch.c:
# diff dispatch.c dispatch.c.old
176,180c176,177
< struct authunix_parms *unix_cred;
< unix_cred = (struct authunix_parms *) rqstp->rq_clntcred;
<
< if ( (rqstp->rq_cred.oa_flavor == AUTH_UNIX) &&
< (! cp->o.root_squash || unix_cred->aup_uid) ) {
---
> if (rqstp->rq_cred.oa_flavor == AUTH_UNIX) {
> struct authunix_parms *unix_cred;
181a179
> unix_cred = (struct authunix_parms *) rqstp->rq_clntcred;
It works fine on initial testing. I tried creating, accessing, and
removing files on an exported read/write root-squash'd volume. It
works, but is a bit quirky. The only way I could get a permission
denied error was to try to rm. All other commands give helplessly
blank errors. For example, ls'ing a drwx--------- directory simply
reports 0 files inside, and touch some-new-file just reports No such
file or directory.
Hope people find this useful. (btw, I'm new to this list)
Daniel Bromberg
ddaniel@mit.edu
