Subject: bin/26890: /etc/security NFS export check does not recognize -network
To: None <gnats-bugs@gnats.NetBSD.org>
From: None <arto@selonen.org>
List: netbsd-bugs
Date: 09/09/2004 07:14:22
>Number: 26890
>Category: bin
>Synopsis: /etc/security NFS export check does not recognize -network
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Sep 09 07:15:00 UTC 2004
>Closed-Date:
>Last-Modified:
>Originator: Arto Selonen
>Release: NetBSD-current ~20040901
>Organization:
>Environment:
NetBSD blah 2.0G NetBSD 2.0G (BLAH) #0: Wed Sep 1 13:34:16 EEST 2004 blah@blah:/obj/sys/arch/i386/compile/BLAH i386
>Description:
exports(5) manual page describes three ways to define who can mount the
exported file system. Two of them just list hostnames or netgroup names,
but the third one uses "-network=" form, which is ignored by /etc/security
awk script. This means that file systems exported to limited networks
will be reported as globally exported. Furthermore, if they are exported
to more than one different network, they are listed multiple times.
>How-To-Repeat:
Create eg. the following /etc/exports
/fake/filesystem -ro -network=192.168.0.0 -mask 255.255.255.0
and run /etc/security. Observe that the file system is reported as
globally exported.
>Fix:
The following patch will ignore exported file systems if they have
"-network" in them:
*** security.orig Wed Sep 1 15:41:14 2004
--- security Thu Sep 9 09:56:57 2004
***************
*** 581,586 ****
--- 581,588 ----
for (i = 2; i <= NF; ++i) {
if ($i ~ /-ro/)
readonly = 1;
+ else if ($i ~ /^-network/)
+ next;
else if ($i !~ /^-/)
next;
}
Note that if one exports file systems to "-network=0.0.0.0" it will
be ignored even though it is effectively globally exported. Such
false negatives probably are quite rare compared to current false positive matches.
>Release-Note:
>Audit-Trail:
>Unformatted: