Bug#384922: NFS insecure without support for squashing multiple groups
On Sat, Sep 02, 2006 at 11:57:03PM +1000, Paul Szabo wrote:
> I will re-phrase the problem, this may be clearer for some people:
>
> The root_squash option is to protect from an "evil root". Though group
> staff is root-equivalent, root_squash does not currently squash that group
> (for various reasons, the kernel not supporting such options being one).
> An "evil root" could become group staff on the client, not get squashed
> across NFS, then become root on the server: root_squash is defeated.
>
> Methods of exploitation, and ways to fix, were discussed already.
>
> I know this bug renders my systems exploitable as we relied on the default
> root_squash working, and never set non-default permissions on /usr/local or
> altered root's PATH. I beleive it renders many other systems exploitable
> also, but have no ways to test that hypothesis.
Please file an enhancement bug at bugzilla.kernel.org if you want to see
that fixed upstream.
Cheers,
Moritz
Reply to: