[734] in linux-security and linux-alert archive
Re: [linux-security] SO_REUSEADDR
daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Tue May 21 12:25:16 1996
From: Zygo Blaxell <zblaxell@myrus.com>
To: csxsjm@scs.leeds.ac.uk (Sam Mortimer)
Date: Tue, 21 May 1996 11:32:44 -0400 (EDT)
Cc: linux-security@tarsier.cv.nrao.edu, unfsd@monad.swb.de
In-Reply-To: <Pine.SGI.3.91.960518171430.16688A-100000@csgi20> from "Sam Mortimer" at May 18, 96 08:10:55 pm
Quoted from Sam Mortimer:
> eg. At home, if I start the nfs server as root and mount something
> (anything), then as any non-root user I can start my own nfsd which has
> been modified so getattr() checks pathnames for the substring "xyz" and if
> it exists returns attrs with the owner of the file set to root.....etc.
Injecting symlinks to files on the client's local disk would allow you
to exploit any privileged users using the NFS mounts by fooling them
into clobbering system files.
You can of course receive anything the client writes and send whatever
you like when it reads.
If the client has mounted NFS filesystems with something less than
'nosuid,nodev,noexec' in the mount flags, then the client deserves what
it gets. There's a network in between the two, and NFS protocol
has no authentication, so even if the real server were running it would
still be possible to attack the client, although without this particular
bug it's a little harder.
I mount everything but the root partition with 'nodev,nosuid,noexec' in
the mount flags. This includes floppies and CDROMs (removable media
containing a user-supplied filesystem--Ewww!), non-root/boot hard disks
(if you don't have device files in /home, then why enable support for
them?), and especially NFS.
NFS is pretty bad stuff anyway. I've found that it's usably useful as
a read-only data-sharing protocol, if you remove the set*id() code in
the daemon, chroot() it, run it as non-root, remove support for writes,
and have the clients mount it nodev/nosuid/noexec/ro. Even then, you
have to have educated users on the client, because even seemingly
harmless actions like using 'vim' to read a text file on the NFS mount
can be exploited by a malicious server to overwrite the innocent user's
files (in this case, with the .swp file generated by 'vim').
Is there a Linux implementation of AFS? There *has* to be a better way...
--
Zygo Blaxell. Former Unix/soft/hardware guru, U of Waterloo Computer Science
Club. Current sysadmin for Myrus Design, Inc. 10th place, ACM Intl Collegiate
Programming Contest Finals, 1994. Administer Linux nets for food, clothing,
and anime. "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong
