Bug#384922: NFS insecure without support for squashing multiple groups

To: vorlon@debian.org
Cc: 384922@bugs.debian.org
Subject: Bug#384922: NFS insecure without support for squashing multiple groups
From: Paul Szabo <psz@maths.usyd.edu.au>
Date: Sat, 2 Sep 2006 23:57:03 +1000
Message-id: <[🔎] 200609021357.k82Dv3to010474@asti.maths.usyd.edu.au>
Reply-to: Paul Szabo <psz@maths.usyd.edu.au>, 384922@bugs.debian.org
In-reply-to: <20060901001517.GG9208@mauritius.dodds.net>

I will re-phrase the problem, this may be clearer for some people:

  The root_squash option is to protect from an "evil root". Though group
  staff is root-equivalent, root_squash does not currently squash that group
  (for various reasons, the kernel not supporting such options being one).
  An "evil root" could become group staff on the client, not get squashed
  across NFS, then become root on the server: root_squash is defeated.

Methods of exploitation, and ways to fix, were discussed already.

I know this bug renders my systems exploitable as we relied on the default
root_squash working, and never set non-default permissions on /usr/local or
altered root's PATH. I beleive it renders many other systems exploitable
also, but have no ways to test that hypothesis.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

Prev by Date: Processing of linux-2.6_2.6.17-8_m68k.changes
Next by Date: Bug#385730: usplash: Fail to start because /dev/null is missing
Previous by thread: Processing of linux-2.6_2.6.17-8_m68k.changes
Next by thread: Bug#385730: usplash: Fail to start because /dev/null is missing
Index(es):
- Date
- Thread