nfs permission escalation?

Matthew Dillon dillon at
Sat Oct 8 08:59:35 PDT 2005

:Yes, but should we fix it (by querying always?) or is this a common 
:problem for other implementations as well?
:   simon
:Serve - BSD     +++  RENT this banner advert  +++    ASCII Ribbon   /"\
    The problem is that the NFS protocol is broken.  There are a huge number
    of places in the kernel where 'root' accesses a file handle.  For example,
    the VM paging code, the filesystem sync code, the buffer cache, etc...
    The NFS server should, rightly, map root requests to the UID of the 
    object on the server (if not root), rather then require that the NFS
    client map the requests to the UID of the object on the server. 

    FreeBSD has all sorts of cred hacks to try to issue the same NFS creds 
    that were originally used to cache the data.  It's a holy mess and I 
    ripped it all out of Dragonfly (and I'm not putting it back in).  Root
    *has* to be able to properly access data.  These hacks are stop-gaps
    at best... if you have multiple non-root users accessing a file with some
    accessing it read-write and others accessing it read-only, it will blow
    up on FreeBSD too.

    The client has no knowledge of the exports mapping, and it can't do it
    itself.  The only real solution to this problem is for the NFS server
    to do the right thing with root-cred requests (map them to the uid/gid
    of the object when the object is not 0/0, and map them to -2/-2 

					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Bugs mailing list