Bug#384922: NFS insecure without support for squashing multiple groups
severity 384922 critical
thanks
Dear Steve,
Sorry, I missed one:
> ... only exploitable when
>
> - you have a non-empty "staff" group on the client (+/- equivalent to
> untrusted root users on the client, since any root user can simply add
> users to this group)
> - you have NFS-shared filesystems that aren't marked nosuid
> - the untrusted user on the client has access to run processes on the NFS
> server
> - /usr/local/{bin,sbin} are in root's path
> - /usr/local/{bin,sbin} are writable by group staff
No need for the attacker to have direct login access to the NFS server:
if there is some user activity there, that could be trojaned.
Of your five conditions, (1) is a given (what we are protecting against),
(2) is what we use NFS for, (3) is likely to be present, and (4) and (5)
are forced upon us by Debian policy. (Were not these things debated in
#299007 already?)
Sounds "critically gaping" to me.
---
I am somewhat curious: who is Steinar, and who are you?
I had submitted a bug against nfs-kernel-server; the maintainer there is
Anibal. You jumped in and re-jiggled the severity; then there were some
messages from Steinar, never anything from Anibal. After re-assigning to
linux-2.6.16 (hmm... why the specific version?) where the maintainer is
a nebulous committee, again you re-jiggle severity; and no word from the
maintainers.
Thanks,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: