[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#384922: NFS insecure without support for squashing multiple groups

On Sat, Sep 02, 2006 at 11:57:03PM +1000, Paul Szabo wrote:
> I will re-phrase the problem, this may be clearer for some people:
> 
>   The root_squash option is to protect from an "evil root". Though group
>   staff is root-equivalent, root_squash does not currently squash that group
>   (for various reasons, the kernel not supporting such options being one).
>   An "evil root" could become group staff on the client, not get squashed
>   across NFS, then become root on the server: root_squash is defeated.
> 
> Methods of exploitation, and ways to fix, were discussed already.
> 
> I know this bug renders my systems exploitable as we relied on the default
> root_squash working, and never set non-default permissions on /usr/local or
> altered root's PATH. I beleive it renders many other systems exploitable
> also, but have no ways to test that hypothesis.

Please file an enhancement bug at bugzilla.kernel.org if you want to see
that fixed upstream.

Cheers,
        Moritz
Reply to: