On Sun, Mar 25, 2001 at 12:19:35PM +1000, Damon Muller wrote: > # /etc/exports: the access control list for filesystems which may be exported > # to NFS clients. See exports(5). > /null localhost i have read that exporting nfs filesystems to localhost is a huge security hole, but its never explained why... > /tmp 192.168.13.0/255.255.255.0(rw) > # Automatically added for use by cfs > /.cfsfs localhost(rw) # Cryptographic Filesystem export > > And restared /etc/init.d/nfs-server. > > I went to the BSD box (narcolepsy), and ran: > > [narcolepsy:~]% mount rei:/tmp /mnt > mount_nfs: can't access /tmp: Permission denied > > On my Debian box (rei), I got the following in the logs: > > Mar 25 12:06:49 rei mountd[18186]: NFS mount of /tmp attempted from > 192.168.13.70 > Mar 25 12:06:49 rei mountd[18186]: NFS request from > narcolepsy originated on insecure port, psychoanalysis suggested > Mar 25 12:06:49 rei mountd[18186]: Blocked attempt of 192.168.13.70 to > mount /tmp read the openbsd man page for mount and find the option to make it use a privileged source port when mounting the filesystem. linux requires this by default. > I didn't think that there was anything particularly strange about what I > did, so I'm at a bit of a loss. I'm not sure what it means by "insecure > port", and whether it's a BSD or Linux issue. I'm a lot more familiar > with Linux than BSD, FWIW. insecure ports are any port > 1023. only root may bind to ports below 1024. the way i understand it if you allow connections from any old port then a ordinary luser on any machine can mount the filesystem saying they are root [1] (or whoever) and get that access since NFS implicity trusts the client. by restricting connections to privileged source ports you are sure that its root on the client and not some luser trying to connect to your box. i could be wrong though. [1] linux also by defaults maps root to nobody, but this isn't very useful on /home since the luser in question can just say they are whoever the want (other then root) and get access to anyone's home directory. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpVvpwT9jz5C.pgp
Description: PGP signature