Re: Mounting Linux 2.4 NFS share on an OpenBSD 2.8 machine

To: Debian User List <debian-user@lists.debian.org>
Subject: Re: Mounting Linux 2.4 NFS share on an OpenBSD 2.8 machine
From: Ethan Benson <erbenson@alaska.net>
Date: Sat, 24 Mar 2001 17:34:00 -0900
Message-id: <[🔎] 20010324173400.P21736@plato.local.lan>
Mail-followup-to: Debian User List <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20010325121935.A18193@empire.net.au>; from dm-debian-user@empire.net.au on Sun, Mar 25, 2001 at 12:19:35PM +1000
References: <[🔎] 20010325121935.A18193@empire.net.au>

On Sun, Mar 25, 2001 at 12:19:35PM +1000, Damon Muller wrote:

> # /etc/exports: the access control list for filesystems which may be exported
> #		to NFS clients.  See exports(5).
> /null		localhost

i have read that exporting nfs filesystems to localhost is a huge
security hole, but its never explained why...

> /tmp 192.168.13.0/255.255.255.0(rw)
> # Automatically added for use by cfs
> /.cfsfs localhost(rw)  # Cryptographic Filesystem export
> 
> And restared /etc/init.d/nfs-server.
> 
> I went to the BSD box (narcolepsy), and ran:
> 
> [narcolepsy:~]% mount rei:/tmp /mnt
> mount_nfs: can't access /tmp: Permission denied
> 
> On my Debian box (rei), I got the following in the logs:
> 
> Mar 25 12:06:49 rei mountd[18186]: NFS mount of /tmp attempted from
> 192.168.13.70
> Mar 25 12:06:49 rei mountd[18186]: NFS request from
> narcolepsy originated on insecure port, psychoanalysis suggested
> Mar 25 12:06:49 rei mountd[18186]: Blocked attempt of 192.168.13.70 to
> mount /tmp

read the openbsd man page for mount and find the option to make it use
a privileged source port when mounting the filesystem.  linux requires
this by default.  

> I didn't think that there was anything particularly strange about what I
> did, so I'm at a bit of a loss. I'm not sure what it means by "insecure
> port", and whether it's a BSD or Linux issue. I'm a lot more familiar
> with Linux than BSD, FWIW.

insecure ports are any port > 1023.  only root may bind to ports below
1024.  the way i understand it if you allow connections from any old
port then a ordinary luser on any machine can mount the filesystem
saying they are root [1] (or whoever) and get that access since NFS
implicity trusts the client.  by restricting connections to privileged
source ports you are sure that its root on the client and not some
luser trying to connect to your box. 

i could be wrong though.  

[1] linux also by defaults maps root to nobody, but this isn't very
useful on /home since the luser in question can just say they are
whoever the want (other then root) and get access to anyone's home
directory.  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpVvpwT9jz5C.pgp
Description: PGP signature

Reply to:

References:
- Mounting Linux 2.4 NFS share on an OpenBSD 2.8 machine
  - From: Damon Muller <dm-debian-user@empire.net.au>

Prev by Date: Re: Star Office
Next by Date: Re: How do I make a debian boot cd
Previous by thread: Mounting Linux 2.4 NFS share on an OpenBSD 2.8 machine
Next by thread: problem compiling pcmcia with kernel 2.2.18
Index(es):
- Date
- Thread