[42] in linux-security and linux-alert archive
Re: NFS server
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Tue Mar 7 12:16:10 1995
To: linux-security@tarsier.cv.nrao.edu
Date: Tue, 7 Mar 1995 15:50:57 +0100 (MEZ)
From: Marek Michalkiewicz <ind43@ci3ux.ci.pwr.wroc.pl>
In-Reply-To: <199503070130.CAA02132@mvmampc66.ciw.uni-karlsruhe.de> from "Thomas Koenig" at Mar 7, 95 02:30:14 am
Reply-To: linux-security@tarsier.cv.nrao.edu
> Known holes are, or have been:
>
> - Portmapper hole with forwarding; fixed by Vietse Venema's secure
> portmapper.
>
> - Read-only export doesn't work, it is only parsed.
>
> - user can kill of nfsd
>
> - squash_root doesn't work
>
> (all of these in addition to the usual NFS holes).
Maybe not a hole, but... map_daemon is documented in the man page, but
doesn't work too (it is only parsed).
On the other hand, read-only export seems to work - but I'm not sure if
it really works all the time: after looking at the source I found that
nfsd_nfsproc_write_2 doesn't call check_ro_attrib() even though other
nfsd_nfsproc_* functions (which need to write to disk) do.
If you are only using NFS for /usr and other read-only things, you could
make it more secure - well, at least maybe less insecure :) - by running
as non-root. It is possible because port 2049 > 1024. It will then not
be able to change its uid, of course. Works at least for me...
Regards,
--
Marek Michalkiewicz
marekm@i17linuxa.ists.pwr.wroc.pl || ind43@ci3ux.ci.pwr.wroc.pl
