Bug#384922: NFS insecure without support for squashing multiple groups

To: vorlon@debian.org
Cc: 384922@bugs.debian.org, control@bugs.debian.org
Subject: Bug#384922: NFS insecure without support for squashing multiple groups
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Thu, 31 Aug 2006 22:49:10 +1000
Message-id: <[🔎] 200608311249.k7VCnAoK016847@asti.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 384922@bugs.debian.org
In-reply-to: <[🔎] 20060831104038.GE5669@mauritius.dodds.net>

severity 384922 critical
thanks

Dear Steve,

> It happens to be very dangerous to share a filesystem via NFS between
> systems that have different security contexts.  This does not make it a
> critical bug ...

Is it acceptable for a root compromise of one system to easily propagate
onto another?

I am confused: what is the use and intent of root_squash, why is it enabled
by default, and why is there an option to turn it off?

Is it documented that NFS must never be used between systems in different
security contexts, other than that UID/GIDs should match?

>> Sorry, as I read Debian policy (and as discussed in #299007), I am not
>> permitted to change root's PATH or change the permissions on /usr/local.
>
> *You* are permitted to do either of these things.  Whether they will be done
> by default in *Debian* is a separate question.

Could you please point me to where that is documented, and maybe explain
what does the policy apply to?

If policy may be ignored, then is there such a thing as a critical bug?
"Turn it off or fix it yourself and you will be safe": is that good enough?

---

>> No need for the attacker to have direct login access to the NFS server:
>> if there is some user activity there, that could be trojaned.
>
> Now you're not even talking about anything that can be *fixed* by
> smash_gids, you're talking about trojaning arbitrary files that will be
> accessed by individual users on the NFS server.  The only way you can guard
> against a compromised client in that case is to never share home
> directories of any users you're worried about!

I am talking about what an attacker can do, once he "gets root" on the
client. I "trust" my users (to have no skills to attack). And it can be
fixed: root on the server will be safe if we fix either of the last two
points, in the policy or if the policy allows us to fix our systems; or
if at great expense we implement squashing GIDs.

> The answer remains, "don't set your NFS environment up that way."

The correct answer seems to be fix or ignore the policy.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Follow-Ups:
- Processed: Re: NFS insecure without support for squashing multiple groups
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Steve Langasek <vorlon@debian.org>

References:
- Bug#384922: NFS insecure without support for squashing multiple groups
  - From: Steve Langasek <vorlon@debian.org>

Prev by Date: Processed: Re: NFS insecure without support for squashing multiple groups
Next by Date: Re: bug in the paquet linux-image-2.6.14-2-686-smp of backports during desinstallation
Previous by thread: Processed: Re: NFS insecure without support for squashing multiple groups
Next by thread: Processed: Re: NFS insecure without support for squashing multiple groups
Index(es):
- Date
- Thread