[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#384922: NFS insecure without support for squashing multiple groups

severity 384922 important

On Thu, Aug 31, 2006 at 04:34:00PM +1000, Paul Szabo wrote:
> Sorry, I missed one:

> > ... only exploitable when

> > - you have a non-empty "staff" group on the client (+/- equivalent to
> >   untrusted root users on the client, since any root user can simply add
> >   users to this group)
> > - you have NFS-shared filesystems that aren't marked nosuid
> > - the untrusted user on the client has access to run processes on the NFS
> >   server
> > - /usr/local/{bin,sbin} are in root's path
> > - /usr/local/{bin,sbin} are writable by group staff

> No need for the attacker to have direct login access to the NFS server:
> if there is some user activity there, that could be trojaned.

Now you're not even talking about anything that can be *fixed* by
smash_gids, you're talking about trojaning arbitrary files that will be
accessed by individual users on the NFS server.  The only way you can guard
against a compromised client in that case is to never share home
directories of any users you're worried about!

The answer remains, "don't set your NFS environment up that way."

> Of your five conditions, (1) is a given (what we are protecting against),
> (2) is what we use NFS for, (3) is likely to be present, and (4) and (5)
> are forced upon us by Debian policy. (Were not these things debated in
> #299007 already?)
> Sounds "critically gaping" to me.
> ---
> I am somewhat curious: who is Steinar, and who are you?
> I had submitted a bug against nfs-kernel-server; the maintainer there is
> Anibal. You jumped in and re-jiggled the severity; then there were some
> messages from Steinar, never anything from Anibal. After re-assigning to 
> linux-2.6.16 (hmm... why the specific version?) where the maintainer is
> a nebulous committee, again you re-jiggle severity; and no word from the
> maintainers.
> Thanks,
> Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics   University of Sydney    Australia

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Reply to: