nfs permission escalation?

Simon 'corecode' Schubert corecode at
Fri Oct 7 17:30:51 PDT 2005


I just experienced the following:

server# echo '/mnt -ro' >> /etc/exports && /etc/rc.d/mountd reload
Reloading mountd config files.
server% cd /mnt && mkdir foo && chmod 500 foo
server% cp /bin/echo foo && chmod 555 foo/echo
client# mount -t nfs server:/mnt /mnt
client# /mnt/echo foo
echo: permission denied
client% /mnt/echo foo
client# /mnt/echo foo
A directory on the server is only r-x------, the mount is exported with 
default settings (=rootsquash).  Root on the client can't execute a 
binary from this directory.

Everything fine till here.  Now I run the binary as the user on the 
client:  I am allowed to run it.  Still fine.

Now if I try to run it as root (again), it suddenly works.  I guess that 
our namecache isn't aware of the rootsquashing and thus grants access to 
the cached vnode.

Hope I explained this bug correctly :)

Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
Work - Mac      +++  space for low $$$ NOW!1  +++      Campaign     \ /
Party Enjoy Relax   |      Against  HTML   \
Dude 2c 2 the max   !       Mail + News   / \

More information about the Bugs mailing list