tech-kern: Re: exporting -ro nfs

Subject: Re: exporting -ro nfs
To: None <tech-kern@NetBSD.org, tech-security@NetBSD.org>
From: George Georgalis <george@galis.org>
List: tech-kern
Date: 01/26/2007 17:25:40
On Fri, Jan 26, 2007 at 01:47:32PM -0800, Jonathan Stone wrote:
>
>In message <200701262135.QAA04542@Sparkle.Rodents.Montreal.QC.CA>,
>der Mouse writes:
>
>>> The mountd won't respond to a mount request for /usr unless "alldirs"
>>> was specified, but it is true that a "bad guy" could guess/replay a
>>> file handle for /usr and go from there.
>>
>>I think it's actually worse than that; given a file handle for
>>/usr/foo/bar/blee, someone not running normal client code could do ..
>>lookups to walk up as far as the server will permit (which usually
>>means, to the mount point on the server - /usr in this case).
>>
>>It's been a while since I had my hands dirty with NFS, but I'm pretty
>>sure that's how it generally works.
>
>I'm sure that's how the original SunOS 3/4 implementaton works, and
>how Rick's 4.4BSD NFS code works.  This is all Well-Known and Implictly
>Understood, at least to us old farts who were there at the time.
>
>I have a nagging memory that the in-kernel Linux NFS server does a
>permissions check on each RPC, (or at least for each RPC that can
>change data).  But even if I'm recalling that much correctly, I don't
>recall if Linux checks back to the exported directory or to the
>containing mount-point (if they differ, which I think was George's
>original observation/question).
>


it was an odd anomaly that I couldn't use the following exports
together:

/hostname/shared_files -network 10/8 
/hostname/software -network 10/8 -ro

but even though /hostname is a single filesystem, I wouldn't have
expected hosts on 10/8 to access above the mount-point. On review
of netbsd 3.1 exports(5), I see the second paragraph covers this
case:

                                          and there may be only one default
     entry for each server filesystem that applies to all other hosts.  The
     latter exports the filesystem to the ``world'' and should be used only
     when the filesystem contains public information.

but I suspect the typical user/admin would mis-interpret
"mount-point" for "filesystem", the entire paragraph is confusing.

in my case I see a solution, real soon now, where users (trusted
as they are) won't be required to have accounts on 10/8; but I
imagine other sites haven't considered the "filesystem" exposure
with exports. It doesn't seem the unix way, when a mount point in
a configuration file, causes exposure of the entire fs.

glad I know now...

// George


-- 
George Georgalis, systems architect, administrator <IXOYE><