nfs permission escalation?
Simon 'corecode' Schubert
corecode at fs.ei.tum.de
Fri Oct 7 17:30:51 PDT 2005
hey,
I just experienced the following:
server# echo '/mnt -ro' >> /etc/exports && /etc/rc.d/mountd reload
Reloading mountd config files.
server% cd /mnt && mkdir foo && chmod 500 foo
server% cp /bin/echo foo && chmod 555 foo/echo
client# mount -t nfs server:/mnt /mnt
client# /mnt/echo foo
echo: permission denied
client% /mnt/echo foo
foo
client# /mnt/echo foo
foo
Explanation:
A directory on the server is only r-x------, the mount is exported with
default settings (=rootsquash). Root on the client can't execute a
binary from this directory.
Everything fine till here. Now I run the binary as the user on the
client: I am allowed to run it. Still fine.
Now if I try to run it as root (again), it suddenly works. I guess that
our namecache isn't aware of the rootsquashing and thus grants access to
the cached vnode.
Hope I explained this bug correctly :)
cheers
simon
--
Serve - BSD +++ RENT this banner advert +++ ASCII Ribbon /"\
Work - Mac +++ space for low $$$ NOW!1 +++ Campaign \ /
Party Enjoy Relax | http://dragonflybsd.org Against HTML \
Dude 2c 2 the max ! http://golden-apple.biz Mail + News / \
More information about the Bugs
mailing list