tech-kern: Re: exporting -ro nfs

Subject: Re: exporting -ro nfs
To: None <tech-kern@netbsd.org, tech-security@netbsd.org>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 01/28/2007 11:19:10
--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Jan 27, 2007 at 11:17:54AM +0100, Edgar Fu? wrote:
> > if we have in exports
> >=20
> > /usr/local/pub/sandbox -rw
> >=20
> > and the /usr partition is a single filesystem. remote clients
> > have rw for anything in /usr
> I usually work around this (I hope!) by putting a null mount in between.
> E.g. null-mount /usr/local/pub/sandbox to /export/sandbox and NFS-export =
that.
> I hope I'm correct to believe that the filesystem the export is now limit=
ed to
> is /export/sandbox in that case.

It is and it isn't.

There are two ways to attach an NFS exported file system for what we're=20
discussing.

The first is to grab a file handle and issue lookups on ".." syntheticly,=
=20
and to walk above the restricted exported mount point.

That method will fail here, though I'm not fully sure how it will fail.=20
When the walk, through the null mount, got to the root of the exported=20
nullfs, all of the lookup routines will notice that they are at the root=20
of a file system. I expect they will fail.

However if the attacker instead knows enough information about the
underlying file system to be able to synthesize a file handle for the
underlying fs, this mount restriction won't protect you. Given the=20
underlying file handle, the nullfs file handle can be directly generated.=
=20
That's how we make file handles now. :-)

So someone can wander around the whole file system in the export.

However someone really has to know what's going on to do this, and if you=
=20
did the random generation # step at mkfs, then it's not an easy thing to=20
do.

So you closed some doors but not others.

The problem is that it's not easy to close this door with the current NFS=
=20
structure.

Take care,

Bill

--H1spWtNR+x+ondvy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iD8DBQFFvPcuWz+3JHUci9cRAoowAJ9bTrKdgtzVJPp5LJB4NTyW1Zo+MACaA0dy
ZcQWBMMIxVX/evBWeuSyzEc=
=cQsb
-----END PGP SIGNATURE-----

--H1spWtNR+x+ondvy--