FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 02-18-2012, 04:16 PM
Jonathan Nieder
 
Default Bug#384922: NFS insecure without support for squashing multiple groups

Hi,

Paul Szabo wrote:

> I will re-phrase the problem, this may be clearer for some people:
>
> The root_squash option is to protect from an "evil root". Though group
> staff is root-equivalent, root_squash does not currently squash that group
> (for various reasons, the kernel not supporting such options being one).
> An "evil root" could become group staff on the client, not get squashed
> across NFS, then become root on the server: root_squash is defeated.

Thanks. I agree with this problem statement, with a clarification that
other root-equivalent users and groups pose the same problem.

The moral of the discussion upstream[1] seems to have been that
AUTH_SYS with untrusted root on clients is not a good fit, and that in
the example scenario where

- the NFS share contains setuid binaries
- the NFS share is backed by or exported to a system where the
attacker has shell access
- we would like to avoid a compromise of one client machine spreading
to others (i.e., clients are not trusted)

NFSv4 with kerberos authentication would be less broken. root_squash
is a simplistic and incomplete band-aid.

Any idea where we should document this to avoid others running into
the same problem? Are there any NFSv4 fixes from upstream that
squeeze or wheezy should adopt to better support your systems?

Jonathan

[1] using links from https://bugzilla.kernel.org/show_bug.cgi?id=14295



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120218171611.GA10638@burratino">http://lists.debian.org/20120218171611.GA10638@burratino
 
Old 02-19-2012, 10:59 AM
 
Default Bug#384922: NFS insecure without support for squashing multiple groups

> ... AUTH_SYS with untrusted root on clients is not a good fit ...
> NFSv4 with kerberos authentication would be less broken. root_squash
> is a simplistic and incomplete band-aid.

NFSv4+krb is better only because it does not have a concept of groups.
Remove groups from AUTH_SYS, ignoring all groups or in other words doing
"manage primary group" similar to secondaries with -manage_gids, and
issue might be solved.
(In that sense NFSv4+krb is more broken, less feature-rich, than
AUTH_SYS.)

Cheers, Paul

Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201202191159.q1JBxYMM017647@bari.maths.usyd.edu.au ">http://lists.debian.org/201202191159.q1JBxYMM017647@bari.maths.usyd.edu.au
 
Old 02-19-2012, 02:45 PM
Jonathan Nieder
 
Default Bug#384922: NFS insecure without support for squashing multiple groups

paul.szabo@sydney.edu.au wrote:

> NFSv4+krb is better only because it does not have a concept of groups.
> Remove groups from AUTH_SYS, ignoring all groups or in other words doing
> "manage primary group" similar to secondaries with -manage_gids, and
> issue might be solved.

Surely the ability to squash multiple uids is also a help. ;-)

Do I understand correctly that you are requesting an export or mountd
option filter_gid, which would behave like --manage-gids except it
transforms the effective gid to anongid when the specified gid is not
a group the user belongs to? I haven't carefully looked over the
protocol specs but at first glance that seems sensible.

IIUC NFSv4+krb does have a concept of groups, though not a
particularly convenient one: different principals can map to the same
uid with different gids.



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120219154544.GC3657@burratino">http://lists.debian.org/20120219154544.GC3657@burratino
 
Old 02-19-2012, 07:11 PM
 
Default Bug#384922: NFS insecure without support for squashing multiple groups

Dear Jonathan,

>> NFSv4+krb is better only because ...
> Surely the ability to squash multiple uids is also a help. ;-)

Not when asking to squash groups. :-)

I thought that idmapd worked also with AUTH_SYS.

> Do I understand correctly that you are requesting an export or mountd
> option filter_gid, which would behave like --manage-gids except it
> transforms the effective gid to anongid when the specified gid is not
> a group the user belongs to? I haven't carefully looked over the
> protocol specs but at first glance that seems sensible.

Yes, my exact wish.

Thanks, Paul

Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia



--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201202192011.q1JKB1PB023203@bari.maths.usyd.edu.au ">http://lists.debian.org/201202192011.q1JKB1PB023203@bari.maths.usyd.edu.au
 

Thread Tools




All times are GMT. The time now is 12:45 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org