Bug#384922: NFS insecure without support for squashing multiple groups

To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: 384922@bugs.debian.org, control@bugs.debian.org
Subject: Bug#384922: NFS insecure without support for squashing multiple groups
From: Steve Langasek <vorlon@debian.org>
Date: Thu, 31 Aug 2006 03:40:38 -0700
Message-id: <[🔎] 20060831104038.GE5669@mauritius.dodds.net>
Reply-to: Steve Langasek <vorlon@debian.org>, 384922@bugs.debian.org
In-reply-to: <[🔎] 200608310634.k7V6Y0M9007278@asti.maths.usyd.edu.au>
References: <[🔎] 20060831023608.GN15823@mauritius.dodds.net> <[🔎] 200608310634.k7V6Y0M9007278@asti.maths.usyd.edu.au>

severity 384922 important
quit

On Thu, Aug 31, 2006 at 04:34:00PM +1000, Paul Szabo wrote:
> Sorry, I missed one:

> > ... only exploitable when

> > - you have a non-empty "staff" group on the client (+/- equivalent to
> >   untrusted root users on the client, since any root user can simply add
> >   users to this group)
> > - you have NFS-shared filesystems that aren't marked nosuid
> > - the untrusted user on the client has access to run processes on the NFS
> >   server
> > - /usr/local/{bin,sbin} are in root's path
> > - /usr/local/{bin,sbin} are writable by group staff

> No need for the attacker to have direct login access to the NFS server:
> if there is some user activity there, that could be trojaned.

Now you're not even talking about anything that can be *fixed* by
smash_gids, you're talking about trojaning arbitrary files that will be
accessed by individual users on the NFS server.  The only way you can guard
against a compromised client in that case is to never share home
directories of any users you're worried about!

The answer remains, "don't set your NFS environment up that way."

> Of your five conditions, (1) is a given (what we are protecting against),
> (2) is what we use NFS for, (3) is likely to be present, and (4) and (5)
> are forced upon us by Debian policy. (Were not these things debated in
> #299007 already?)
> 
> Sounds "critically gaping" to me.
> 
> ---
> 
> I am somewhat curious: who is Steinar, and who are you?
> 
> I had submitted a bug against nfs-kernel-server; the maintainer there is
> Anibal. You jumped in and re-jiggled the severity; then there were some
> messages from Steinar, never anything from Anibal. After re-assigning to 
> linux-2.6.16 (hmm... why the specific version?) where the maintainer is
> a nebulous committee, again you re-jiggle severity; and no word from the
> maintainers.
> 
> Thanks,
> 
> Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia
> 

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to:

Follow-Ups:
- Processed: Re: NFS insecure without support for squashing multiple groups
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Paul Szabo <psz@maths.usyd.edu.au>
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Paul Szabo <psz@maths.usyd.edu.au>

References:
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Steve Langasek <vorlon@debian.org>
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Paul Szabo <psz@maths.usyd.edu.au>

Prev by Date: Processed: Re: NFS insecure without support for squashing multiple groups
Next by Date: Processed: severity of 385406 is serious
Previous by thread: Bug#384922: NFS insecure without support for squashing multiple groups
Next by thread: Processed: Re: NFS insecure without support for squashing multiple groups
Index(es):
- Date
- Thread