netbsd-bugs: Re: security/6594: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)

Subject: Re: security/6594: the default "nobody" credentials (32767:9999) do not match mountd's default (-2:-2)
To: NetBSD GNATS submissions and followups <gnats-bugs@gnats.netbsd.org>
From: David Laight <david@l8s.co.uk>
List: netbsd-bugs
Date: 09/07/2002 22:58:15

On Sat, Sep 07, 2002 at 05:30:07PM -0400, Greg A. Woods wrote:
> Not my GCC.  :-)

No, but the new one Jason is playing with might.
It generated rather a lot of signed/unsigned warnings he's been fixing.

> In any case I intended them to be cast when they are used,
Why? I actually dislike casts - they are too powerful for most places [1].
Since these are constants of type uid_t they really ought to be in
the domain of the type.  Otherwise you might as well just use -2, at
least then it is obvious what is going on....

> > I was wondering whether the 'correct' fix isn't here, but is where
> > file premissions are checked (access?).
> 
> No, I don't think so.  The UID/GID mapping is set up by mountd.  The
> mapping for superuser->anonymous is just a special common case of the
> more general mapping now also allowed by the newer '-mapall' option.
> 
> >  There uid/gid values of
> > -2 could explicitly not match any user or group.
> 
> I'm sure what you mean by that.  Do you mean "their", as in "the
> client's uid/gid values of -2/-2"?

No, "there, ..." as in where the permissions are checked.

> The mountd code needs to have some kind of default just in case the
> local user database doesn't contain a "nobody" (or whatever) user.

No: the default (checked man page again) is -maproot=-2:-2
not -maproot=nobody.

> It's really irrelevant what any client might have as a user or group for
> the ID "-2".  In a configuration set up as intended by the original
> implementers I suppose the user and group databases would be shared via
> NIS/YP, but all that really matters is the server be able to map
> accesses by client superusers into some non-superuser ID.

Does NFS predate NIS/YP?  It could easily ...
 
> The general idea behind the NFS anonymous user is to map access
> credentials from remote superusers into some local UID which in general
> is least-privileged (i.e. owns no files and thus can only write to
> world-writable places).

Yes - I was wondering whether that ought to be tightly enforced?
ie even if a file has uid -2 it still can't be accessed?
The permissions for created files become problematical...
 
> > Is -mapall=-2:-2 valid?
> 
> Sure (it should be, though I've not ever tried it).  Why do you think it
> would not be?

I hadn't checked that numbers were valid, especially -ve ones :-)


	David

[1] mainly due to the ability to change pointers to integers, which is only
required rairly.  I will sometimes define macros to do strongly typed
casts, eg:
#define SCHAR_TO_UCHAR(c) ((uchar *)0 + (c - (char *)0))
Although inline functions have the same effect (in gcc).

-- 
David Laight: david@l8s.co.uk