nfs permission escalation?

Simon 'corecode' Schubert corecode at fs.ei.tum.de
Fri Oct 7 17:30:51 PDT 2005


hey,

I just experienced the following:

server# echo '/mnt -ro' >> /etc/exports && /etc/rc.d/mountd reload
Reloading mountd config files.
server% cd /mnt && mkdir foo && chmod 500 foo
server% cp /bin/echo foo && chmod 555 foo/echo
client# mount -t nfs server:/mnt /mnt
client# /mnt/echo foo
echo: permission denied
client% /mnt/echo foo
foo
client# /mnt/echo foo
foo
Explanation:
A directory on the server is only r-x------, the mount is exported with 
default settings (=rootsquash).  Root on the client can't execute a 
binary from this directory.

Everything fine till here.  Now I run the binary as the user on the 
client:  I am allowed to run it.  Still fine.

Now if I try to run it as root (again), it suddenly works.  I guess that 
our namecache isn't aware of the rootsquashing and thus grants access to 
the cached vnode.

Hope I explained this bug correctly :)

cheers
  simon
--
Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low $$$ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |   http://dragonflybsd.org      Against  HTML   \
Dude 2c 2 the max   !   http://golden-apple.biz       Mail + News   / \




More information about the Bugs mailing list