Subject: Re: security/6594: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)
To: NetBSD GNATS submissions and followups <firstname.lastname@example.org>
From: David Laight <email@example.com>
Date: 09/07/2002 22:58:15
On Sat, Sep 07, 2002 at 05:30:07PM -0400, Greg A. Woods wrote:
> Not my GCC. :-)
No, but the new one Jason is playing with might.
It generated rather a lot of signed/unsigned warnings he's been fixing.
> In any case I intended them to be cast when they are used,
Why? I actually dislike casts - they are too powerful for most places .
Since these are constants of type uid_t they really ought to be in
the domain of the type. Otherwise you might as well just use -2, at
least then it is obvious what is going on....
> > I was wondering whether the 'correct' fix isn't here, but is where
> > file premissions are checked (access?).
> No, I don't think so. The UID/GID mapping is set up by mountd. The
> mapping for superuser->anonymous is just a special common case of the
> more general mapping now also allowed by the newer '-mapall' option.
> > There uid/gid values of
> > -2 could explicitly not match any user or group.
> I'm sure what you mean by that. Do you mean "their", as in "the
> client's uid/gid values of -2/-2"?
No, "there, ..." as in where the permissions are checked.
> The mountd code needs to have some kind of default just in case the
> local user database doesn't contain a "nobody" (or whatever) user.
No: the default (checked man page again) is -maproot=-2:-2
> It's really irrelevant what any client might have as a user or group for
> the ID "-2". In a configuration set up as intended by the original
> implementers I suppose the user and group databases would be shared via
> NIS/YP, but all that really matters is the server be able to map
> accesses by client superusers into some non-superuser ID.
Does NFS predate NIS/YP? It could easily ...
> The general idea behind the NFS anonymous user is to map access
> credentials from remote superusers into some local UID which in general
> is least-privileged (i.e. owns no files and thus can only write to
> world-writable places).
Yes - I was wondering whether that ought to be tightly enforced?
ie even if a file has uid -2 it still can't be accessed?
The permissions for created files become problematical...
> > Is -mapall=-2:-2 valid?
> Sure (it should be, though I've not ever tried it). Why do you think it
> would not be?
I hadn't checked that numbers were valid, especially -ve ones :-)
 mainly due to the ability to change pointers to integers, which is only
required rairly. I will sometimes define macros to do strongly typed
#define SCHAR_TO_UCHAR(c) ((uchar *)0 + (c - (char *)0))
Although inline functions have the same effect (in gcc).
David Laight: firstname.lastname@example.org