port-sun3: mountd -n and sun3 mount

Subject: mountd -n and sun3 mount
To: None <cgd@alpha.bostic.com>
From: Charlie Root <root@snowhite.cis.uoguelph.ca>
List: port-sun3
Date: 08/11/1994 15:21:26
Hi,

> 	(1) with AUTH_NULL
Hmm. The original spec. I worked from (Section #3 of Networking on the Sun
Workstation) states that only AUTH_UNIX is used, however the RFC states that
both AUTH_UNIX and AUTH_NULL is supported...

> 	(2) from a privileged port
Mike Karels and I have always thought that requiring a reserved port # is a
crock but I will admit that, for the one case of a hacker trying to run his
own NFS client on an otherwise secure system (in the old /etc/hosts.euiv
sense of a trusted secure root id), it makes some sense to require a
reserved port # from that host.

Requiring the uid == 0 is completely useless and I vaguely recall that it was
the OSF boys that insisted that it should be there (anyhow, they are long gone,
so I can get away with blaming them:-).

As such, I suppose mountd should ignore the authentication credentials
entirely (AUTH_DES and AUTH_KERB are not supported, according to the RFC)
and either:
a) ignore the port # as well
or
b) check for a reserved port # for hosts where it is useful
  (this should probably be an export option in /etc/exports, so that it is
   on a per-host basis, instead of a global "-n" for all hosts.)

I would suggest b), but until implemented, you can just take the
credential checks out anyhow. Does this make sense?

[gwr writes...]
   I suggest we make our mountd behave the same way.
   
   The check for RPC auth. data provides no real security anyway:
   (1) The only access provided is "read the export list"
   (2) You can restrict to trusted clients with rw=... access=...
   (3) Spoofing clients could easily provide AUTH_UNIX credentials
   
   The check for a reserved port is also a weak security check.
   It is usually easy to get root access on some machine on the
   network (i.e. hook up your own) and then you can easily send
   requests using reserved IP port numbers.
   
   In summary, I think the "weak" checks (port numbers, AUTH_UNIX)
   are a false security and hardly worth bothering with; they only
   work if you control all the RPC clients you talk to.
   
   If one wants real security, AUTH_DES or better is required.

As above, I agree, except maybe to only require the reserved port # for
specific hosts in /etc/exports, for hosts where it actually means something.
(If for no other reason, so that the man page can explain how weak this
 "security" feature is for most cases:-)

Have fun, rick
ps: I'll take a look at mountd.c and see what it would take to add the
    "check reserved port#" export option.

------------------------------------------------------------------------------