Bug#384922: NFS insecure without support for squashing multiple groups

[Jonathan Nieder <jrnieder@gmail.com>]

Hi,

Paul Szabo wrote:

> I will re-phrase the problem, this may be clearer for some people:
>
>   The root_squash option is to protect from an "evil root". Though group
>   staff is root-equivalent, root_squash does not currently squash that group
>   (for various reasons, the kernel not supporting such options being one).
>   An "evil root" could become group staff on the client, not get squashed
>   across NFS, then become root on the server: root_squash is defeated.

Thanks.  I agree with this problem statement, with a clarification that
other root-equivalent users and groups pose the same problem.

The moral of the discussion upstream[1] seems to have been that
AUTH_SYS with untrusted root on clients is not a good fit, and that in
the example scenario where

 - the NFS share contains setuid binaries
 - the NFS share is backed by or exported to a system where the
   attacker has shell access
 - we would like to avoid a compromise of one client machine spreading
   to others (i.e., clients are not trusted)

NFSv4 with kerberos authentication would be less broken.  root_squash
is a simplistic and incomplete band-aid.

Any idea where we should document this to avoid others running into
the same problem?  Are there any NFSv4 fixes from upstream that
squeeze or wheezy should adopt to better support your systems?

Jonathan

[1] using links from https://bugzilla.kernel.org/show_bug.cgi?id=14295