Bug#384922: NFS insecure without support for squashing multiple groups
severity 384922 important
quit
On Thu, Aug 31, 2006 at 04:34:00PM +1000, Paul Szabo wrote:
> Sorry, I missed one:
> > ... only exploitable when
> > - you have a non-empty "staff" group on the client (+/- equivalent to
> > untrusted root users on the client, since any root user can simply add
> > users to this group)
> > - you have NFS-shared filesystems that aren't marked nosuid
> > - the untrusted user on the client has access to run processes on the NFS
> > server
> > - /usr/local/{bin,sbin} are in root's path
> > - /usr/local/{bin,sbin} are writable by group staff
> No need for the attacker to have direct login access to the NFS server:
> if there is some user activity there, that could be trojaned.
Now you're not even talking about anything that can be *fixed* by
smash_gids, you're talking about trojaning arbitrary files that will be
accessed by individual users on the NFS server. The only way you can guard
against a compromised client in that case is to never share home
directories of any users you're worried about!
The answer remains, "don't set your NFS environment up that way."
> Of your five conditions, (1) is a given (what we are protecting against),
> (2) is what we use NFS for, (3) is likely to be present, and (4) and (5)
> are forced upon us by Debian policy. (Were not these things debated in
> #299007 already?)
>
> Sounds "critically gaping" to me.
>
> ---
>
> I am somewhat curious: who is Steinar, and who are you?
>
> I had submitted a bug against nfs-kernel-server; the maintainer there is
> Anibal. You jumped in and re-jiggled the severity; then there were some
> messages from Steinar, never anything from Anibal. After re-assigning to
> linux-2.6.16 (hmm... why the specific version?) where the maintainer is
> a nebulous committee, again you re-jiggle severity; and no word from the
> maintainers.
>
> Thanks,
>
> Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney Australia
>
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Reply to: